Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import IPFilter 4.1.3

This commit is contained in:
martti 2004-07-23 05:33:55 +00:00
parent c3138ef3da
commit 9e82a8bf0d
163 changed files with 6667 additions and 423 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
dist/ipf/Linux/Tips_SuSE91.txt vendored Normal file
View File

@ -0,0 +1,5 @@
cd /usr/src/linux
make mrproper
cp /boot/config-* .config
make oldconfig
make prepare-all

8
dist/ipf/Linux/howchkconfig vendored Normal file
View File

@ -0,0 +1,8 @@
#!/bin/sh
level=`/sbin/chkconfig --help 2>& 1 | grep level`
if [ "$level" = "" ] ; then
echo '-s ipfilter 2345'
else
echo '--level 2345 ipfilter on'
fi
exit 0

8
dist/ipf/Linux/initscript vendored Normal file
View File

@ -0,0 +1,8 @@
#!/bin/sh
if [ -f /etc/SuSE-release ] ; then
echo ipfilter-suse
fi
if [ -f /etc/redhat-release ] ; then
echo ipfilter-redhat
fi
exit 0

105
dist/ipf/Linux/ipfilter-redhat vendored Normal file
View File

@ -0,0 +1,105 @@
#!/bin/sh
#
# chkconfig: 2345 26 74
# description: ipfilter
# processname: ipfilter
# config: /etc/sysconfig/ipfilter
CONFIG=/etc/sysconfig/ipfilter
LOGPRI=user.info
IPFCONF=/etc/ipf.conf
IPNATCONF=/etc/ipnat.conf
IPPOOLCONF=/etc/ippool.conf
# Source function library.
. /etc/init.d/functions
if [ ! -f /etc/ipf.conf -a ! -f /etc/ipnat.conf ] ; then
exit 0
fi
RETVAL=0
logit() {
if [ $1 -ne 0 ] ; then
logger -t $2 -p $LOGPRI "$3"
fi
}
start() {
/sbin/insmod -s ipfilter
echo -n $"Starting IPFilter: "
minor=0
ipfdev=`awk ' /ipf/ { print $1; } ' /proc/devices`
for i in ipl ipnat ipstate ipauth ipsync ipscan iplookup; do
/bin/rm -f /dev/$i
mknod /dev/$i c $ipfdev $minor
minor=`expr $minor + 1`
done
if [ -f $IPFCONF ] ; then
msg=`/sbin/ipf -f $IPFCONF 2>&1`
RETVAL=$?
logit $RETVAL ipf "$msg"
fi
if [ $RETVAL -eq 0 -a -f $IPNATCONF ] ; then
msg=`/sbin/ipnat -f $IPNATCONF 2>&1`
RETVAL=$?
logit $RETVAL ipnat "$msg"
fi
if [ $RETVAL -eq 0 -a -f $IPPOOLCONF ] ; then
msg=`/sbin/ippool -f $IPPOOLCONF 2>&1`
RETVAL=$?
logit $RETVAL ippool "$msg"
fi
if [ $RETVAL -eq 0 ] ; then
/sbin/ipmon -Das
RETVAL=$?
fi
if [ $RETVAL -eq 0 ] ; then
echo_success
else
echo_failure
fi
echo
return $RETVAL
}
stop() {
echo -n $"Shutting down IPFilter: "
killproc ipmon
RETVAL=$?
[ $RETVAL -eq 0 ] && /sbin/modprobe -r ipfilter 2>&1 >/dev/null
echo
return $RETVAL
}
dostatus() {
status ipmon
RETVAL=$?
}
restart() {
stop
start
RETVAL=$?
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
dostatus
;;
restart|reload)
restart
;;
*)
echo "Usage: ipfilter {start|stop|status|restart|reload}"
RETVAL=1
esac
exit $?

105
dist/ipf/Linux/ipfilter-suse vendored Normal file
View File

@ -0,0 +1,105 @@
#!/bin/sh
#
# chkconfig: 2345 26 74
# description: ipfilter
# processname: ipfilter
# config: /etc/sysconfig/ipfilter
CONFIG=/etc/sysconfig/ipfilter
LOGPRI=user.info
IPFCONF=/etc/ipf.conf
IPNATCONF=/etc/ipnat.conf
IPPOOLCONF=/etc/ippool.conf
# Source function library.
. /etc/rc.status
if [ ! -f /etc/ipf.conf -a ! -f /etc/ipnat.conf ] ; then
exit 0
fi
rc_reset
rc=0
logit() {
if [ $1 -ne 0 ] ; then
logger -t $2 -p $LOGPRI "$3"
fi
}
start() {
/sbin/insmod -s ipfilter
rc=$?
if [ ${rc} -ne 0 ] ; then
rc_status -v
exit $rc
fi
echo -n $"Starting IPFilter: "
minor=0
ipfdev=`awk ' /ipf/ { print $1; } ' /proc/devices`
for i in ipl ipnat ipstate ipauth ipsync ipscan iplookup; do
/bin/rm -f /dev/$i
mknod /dev/$i c $ipfdev $minor
minor=`expr $minor + 1`
done
if [ -f $IPFCONF ] ; then
msg=`/sbin/ipf -f $IPFCONF 2>&1`
rc=$?
logit $rc ipf "$msg"
fi
if [ $rc -eq 0 -a -f $IPNATCONF ] ; then
msg=`/sbin/ipnat -f $IPNATCONF 2>&1`
rc=$?
logit $rc ipnat "$msg"
fi
if [ $rc -eq 0 -a -f $IPPOOLCONF ] ; then
msg=`/sbin/ippool -f $IPPOOLCONF 2>&1`
rc=$?
logit $rc ippool "$msg"
fi
if [ $rc -eq 0 ] ; then
/sbin/ipmon -Das
rc=$?
fi
rc_status -v
return $rc
}
stop() {
echo -n $"Shutting down IPFilter: "
killproc ipmon
rc=$?
[ $rc -eq 0 ] && /sbin/modprobe -r ipfilter 2>&1 >/dev/null
rc_status -v
}
dostatus() {
status ipmon
rc=$?
}
restart() {
stop
start
rc=$?
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
dostatus
;;
restart|reload)
restart
;;
*)
echo "Usage: ipfilter {start|stop|status|restart|reload}"
rc=1
esac
rc_status -v
exit $?

8
dist/ipf/Linux/mkinit vendored Normal file
View File

@ -0,0 +1,8 @@
#!/bin/sh
if [ -f /etc/SuSE-release ] ; then
cp ../ipfilter-suse ipfilter
fi
if [ -f /etc/redhat-release ] ; then
cp ../ipfilter-redhat ipfilter
fi
exit 0

797
dist/ipf/OpenBSD-3/3.4-MAKEDEV-diffs vendored Normal file
View File

@ -0,0 +1,797 @@
Index: etc/MAKEDEV.mi
===================================================================
RCS file: /cvs/src/etc/MAKEDEV.mi,v
retrieving revision 1.57
diff -c -r1.57 MAKEDEV.mi
*** etc/MAKEDEV.mi 16 Mar 2003 13:15:53 -0000 1.57
--- etc/MAKEDEV.mi 8 Jun 2003 07:40:20 -0000
***************
*** 152,157 ****
--- 152,161 ----
target(all, pctr)dnl
target(all, pctr0)dnl
target(all, pf)dnl
+ target(all, ipl)dnl
+ target(all, ipnat)dnl
+ target(all, ipstate)dnl
+ target(all, ipauth)dnl
twrget(all, cry, crypto)dnl
target(all, apm)dnl
twrget(all, tth, ttyh, 0, 1)dnl
***************
*** 558,563 ****
--- 562,575 ----
_mkdev(cry, crypto, {-M crypto c major_cry_c-} 0)dnl
__devitem(pf, pf*, Packet Filter)dnl
_mkdev(pf, {-pf*-}, {-M pf c major_pf_c 0 600-})dnl
+ __devitem(ipl, ipl*, Packet Filter log)dnl
+ _mkdev(ipl, {-ipl*-}, {-M ipl c major_ipl_c 0 600-})dnl
+ __devitem(ipnat, ipnat*, Packet Filter NAT)dnl
+ _mkdev(ipnat, {-ipnat*-}, {-M ipnat c major_ipnat_c 1 600-})dnl
+ __devitem(ipstate, ipstate*, Packet Filter state)dnl
+ _mkdev(ipstate, {-ipstate*-}, {-M ipstate c major_ipstate_c 2 600-})dnl
+ __devitem(ipauth, ipauth*, Packet Filter auth)dnl
+ _mkdev(ipauth, {-ipauth*-}, {-M ipauth c major_ipauth_c 3 600-})dnl
__devitem(bpf, bpf*, Berkeley Packet Filter)dnl
_mkdev(bpf, {-bpf*-}, {-M bpf$U c major_bpf_c $U 600-}, 600)dnl
_mkdev(tun, {-tun*-}, {-M tun$U c major_tun_c $U 600-}, 600)dnl
Index: etc/etc.alpha/MAKEDEV
===================================================================
RCS file: /cvs/src/etc/etc.alpha/MAKEDEV,v
retrieving revision 1.95
diff -c -r1.95 MAKEDEV
*** etc/etc.alpha/MAKEDEV 6 Jan 2003 17:19:59 -0000 1.95
--- etc/etc.alpha/MAKEDEV 8 Jun 2003 07:40:24 -0000
***************
*** 71,76 ****
--- 71,77 ----
# utty* Serial ports
# Special purpose devices:
# ch* SCSI media changer
+ # ipl IP Filter
# pf* Packet Filter
# bpf* Berkeley Packet Filter
# iop* I2O controller device
***************
*** 330,335 ****
--- 331,343 ----
M bpf$U c 11 $U 600
;;
+ ipl)
+ M ipl c 44 0 600
+ M ipnat c 44 1 600
+ M ipstate c 44 2 600
+ M ipauth c 44 2 600
+ ;;
+
pf*)
M pf c 35 0 600
;;
***************
*** 494,499 ****
--- 502,508 ----
R tty00 tty01 tty02 tty03 ttyc0 ttyc1 ttyc2 ttyc3 ttyc4 ttyc5
R ttyc6 ttyc7 ttyB0 ttyB1 ttyB2 ttyB3 ttyB4 ttyB5 pf systrace
R wd0 wd1 wd2 wd3 raid0 raid1 raid2 raid3 std st0 st1 fd
+ R ipl
;;
wd*|sd*|raid*|ccd*)
Index: etc/etc.alpha/MAKEDEV.md
===================================================================
RCS file: /cvs/src/etc/etc.alpha/MAKEDEV.md,v
retrieving revision 1.15
diff -c -r1.15 MAKEDEV.md
*** etc/etc.alpha/MAKEDEV.md 5 Dec 2002 04:30:21 -0000 1.15
--- etc/etc.alpha/MAKEDEV.md 8 Jun 2003 07:40:25 -0000
***************
*** 66,71 ****
--- 66,75 ----
_TITLE(spec)
_DEV(ch, 14)
_DEV(pf, 35)
+ _DEV(ipl, 44)
+ _DEV(ipnat, 44)
+ _DEV(ipstate, 44)
+ _DEV(ipauth, 44)
_DEV(bpf, 11)
_DEV(iop, 54)
_DEV(pci, 52)
Index: etc/etc.hp300/MAKEDEV
===================================================================
RCS file: /cvs/src/etc/etc.hp300/MAKEDEV,v
retrieving revision 1.63
diff -c -r1.63 MAKEDEV
*** etc/etc.hp300/MAKEDEV 6 Jan 2003 17:19:59 -0000 1.63
--- etc/etc.hp300/MAKEDEV 8 Jun 2003 07:40:25 -0000
***************
*** 61,66 ****
--- 61,67 ----
# ite* terminal emulator interface to HP300 graphics devices
# hil HP300 HIL input devices
# bpf* Berkeley Packet Filter
+ # ipl IP Filter
# tun* network tunnel driver
# pf* Packet Filter
# lkm loadable kernel modules interface
***************
*** 316,321 ****
--- 317,329 ----
M lkm c 24 0 640 _lkm
;;
+ ipl)
+ M ipl c 37 0 600
+ M ipnat c 37 1 600
+ M ipstate c 37 2 600
+ M ipauth c 37 3 600
+ ;;
+
pf*)
M pf c 33 0 600
;;
***************
*** 395,400 ****
--- 403,409 ----
R sd2 sd3 sd4 rd0 tun0 tun1 tun2 tun3 bpf0 bpf1 bpf2 bpf3 bpf4
R bpf5 bpf6 bpf7 bpf8 bpf9 pty0 pty1 pty2 xfs0 local ppi0
R apci0 random lkm pf systrace std fd
+ R ipl
;;
sd*|hd*|ccd*)
Index: etc/etc.hp300/MAKEDEV.md
===================================================================
RCS file: /cvs/src/etc/etc.hp300/MAKEDEV.md,v
retrieving revision 1.12
diff -c -r1.12 MAKEDEV.md
*** etc/etc.hp300/MAKEDEV.md 25 Dec 2002 20:20:20 -0000 1.12
--- etc/etc.hp300/MAKEDEV.md 8 Jun 2003 07:40:26 -0000
***************
*** 84,89 ****
--- 84,93 ----
_DEV(bpf, 22)
_DEV(tun, 23)
_DEV(pf, 33)
+ _DEV(ipl, 37)
+ _DEV(ipnat, 37)
+ _DEV(ipstate, 37)
+ _DEV(ipauth, 37)
_DEV(lkm, 24)
_DEV(rnd, 32)
_DEV(xfs, 51)
Index: etc/etc.hppa/MAKEDEV
===================================================================
RCS file: /cvs/src/etc/etc.hppa/MAKEDEV,v
retrieving revision 1.34
diff -c -r1.34 MAKEDEV
*** etc/etc.hppa/MAKEDEV 5 Feb 2003 20:18:36 -0000 1.34
--- etc/etc.hppa/MAKEDEV 8 Jun 2003 07:40:26 -0000
***************
*** 62,67 ****
--- 62,68 ----
# Special purpose devices:
# fd makes fd/* for the fdescfs
# bpf* Berkeley Packet Filter
+ # ipl IP Filter
# tun* network tunnel driver
# pf* Packet Filter
# lkm loadable kernel modules interface
***************
*** 266,271 ****
--- 267,279 ----
M lkm c 19 0 640 _lkm
;;
+ ipl)
+ M ipl c 38 0 600
+ M ipnat c 38 1 600
+ M ipstate c 38 2 600
+ M ipauth c 38 3 600
+ ;;
+
pf*)
M pf c 21 0 600
;;
***************
*** 412,417 ****
--- 420,426 ----
R xfs0 ss0 ss1 ch0 ses0 wscons audio0 uk0 random lpa0 lpa1
R lpa2 lpt0 lpt1 lpt2 lkm tty00 tty01 tty02 tty03 crypto pf
R systrace std st0 st1 fd
+ R ipl
;;
sd*|ccd*)
Index: etc/etc.hppa/MAKEDEV.md
===================================================================
RCS file: /cvs/src/etc/etc.hppa/MAKEDEV.md,v
retrieving revision 1.13
diff -c -r1.13 MAKEDEV.md
*** etc/etc.hppa/MAKEDEV.md 5 Feb 2003 20:17:38 -0000 1.13
--- etc/etc.hppa/MAKEDEV.md 8 Jun 2003 07:40:26 -0000
***************
*** 58,63 ****
--- 58,67 ----
_DEV(bpf, 17)
_DEV(tun, 18)
_DEV(pf, 21)
+ _DEV(ipl, 38)
+ _DEV(ipnat, 38)
+ _DEV(ipstate, 38)
+ _DEV(ipauth, 38)
_DEV(lkm, 19)
_DEV(rnd, 20)
_DEV(xfs, 31)
Index: etc/etc.i386/MAKEDEV
===================================================================
RCS file: /cvs/src/etc/etc.i386/MAKEDEV,v
retrieving revision 1.139
diff -c -r1.139 MAKEDEV
*** etc/etc.i386/MAKEDEV 6 Jan 2003 17:19:59 -0000 1.139
--- etc/etc.i386/MAKEDEV 8 Jun 2003 07:40:27 -0000
***************
*** 79,84 ****
--- 79,85 ----
# Special purpose devices:
# fd makes fd/* for the fdescfs
# crypto hardware crypto access driver
+ # ipl IP Filter
# pf* Packet Filter
# bpf* Berkeley Packet Filter
# speaker pc speaker
***************
*** 373,378 ****
--- 374,386 ----
M bpf$U c 23 $U 600
;;
+ ipl)
+ M ipl c 81 0 600
+ M ipnat c 81 1 600
+ M ipstate c 81 2 600
+ M ipauth c 81 3 600
+ ;;
+
pf*)
M pf c 73 0 600
;;
***************
*** 569,574 ****
--- 577,583 ----
R tty03 ttyc0 ttyc1 ttyc2 ttyc3 ttyc4 ttyc5 ttyc6 ttyc7 apm
R crypto pf pctr systrace wd0 wd1 wd2 wd3 raid0 raid1 raid2
R raid3 std st0 st1 fd mcd0
+ R ipl
;;
wd*|sd*|raid*|ccd*)
Index: etc/etc.i386/MAKEDEV.md
===================================================================
RCS file: /cvs/src/etc/etc.i386/MAKEDEV.md,v
retrieving revision 1.16
diff -c -r1.16 MAKEDEV.md
*** etc/etc.i386/MAKEDEV.md 5 Dec 2002 04:30:21 -0000 1.16
--- etc/etc.i386/MAKEDEV.md 8 Jun 2003 07:40:27 -0000
***************
*** 74,79 ****
--- 74,83 ----
_DEV(fdesc, 22)
_DEV(cry, 70)
_DEV(pf, 73)
+ _DEV(ipl, 81)
+ _DEV(ipnat, 81)
+ _DEV(ipstate, 81)
+ _DEV(ipauth, 81)
_DEV(bpf, 23)
_DEV(speak, 27)
_DEV(lkm, 28)
Index: etc/etc.mac68k/MAKEDEV
===================================================================
RCS file: /cvs/src/etc/etc.mac68k/MAKEDEV,v
retrieving revision 1.65
diff -c -r1.65 MAKEDEV
*** etc/etc.mac68k/MAKEDEV 6 Jan 2003 17:19:59 -0000 1.65
--- etc/etc.mac68k/MAKEDEV 8 Jun 2003 07:40:29 -0000
***************
*** 56,61 ****
--- 56,62 ----
# CyberVision 64 (grf5)
# Special purpose devices:
# bpf* Berkeley Packet Filter
+ # ipl IP Filter
# tun* network tunnel driver
# pf* Packet Filter
# lkm loadable kernel modules interface
***************
*** 277,282 ****
--- 278,290 ----
M lkm c 25 0 640 _lkm
;;
+ ipl)
+ M ipl c 38 0 600
+ M ipnat c 38 1 600
+ M ipstate c 38 2 600
+ M ipauth c 38 3 600
+ ;;
+
pf*)
M pf c 35 0 600
;;
***************
*** 355,360 ****
--- 363,369 ----
R xfs0 ss0 ss1 ch0 vnd0 vnd1 vnd2 vnd3 sd0 sd1 sd2 sd3 sd4
R local grf0 grf1 grf2 grf3 adb asc0 uk0 random lkm ttye0
R tty00 tty01 pf systrace std st0 st1 fd
+ R ipl
;;
sd*|ccd*)
Index: etc/etc.mac68k/MAKEDEV.md
===================================================================
RCS file: /cvs/src/etc/etc.mac68k/MAKEDEV.md,v
retrieving revision 1.10
diff -c -r1.10 MAKEDEV.md
*** etc/etc.mac68k/MAKEDEV.md 5 Dec 2002 04:30:21 -0000 1.10
--- etc/etc.mac68k/MAKEDEV.md 8 Jun 2003 07:40:29 -0000
***************
*** 50,55 ****
--- 50,59 ----
_DEV(bpf, 22)
_DEV(tun, 24)
_DEV(pf, 35)
+ _DEV(ipl, 38)
+ _DEV(ipnat, 38)
+ _DEV(ipstate, 38)
+ _DEV(ipauth, 38)
_DEV(lkm, 25)
_DEV(rnd, 32)
_DEV(uk, 34)
Index: etc/etc.macppc/MAKEDEV
===================================================================
RCS file: /cvs/src/etc/etc.macppc/MAKEDEV,v
retrieving revision 1.37
diff -c -r1.37 MAKEDEV
*** etc/etc.macppc/MAKEDEV 6 Jan 2003 17:19:59 -0000 1.37
--- etc/etc.macppc/MAKEDEV 8 Jun 2003 07:40:30 -0000
***************
*** 72,77 ****
--- 72,78 ----
# audio* audio device
# apm power management device
# bpf* Berkeley Packet Filter
+ # ipl IP Filter
# tun* network tunnel driver
# lkm loadable kernel modules interface
# *random inkernel random data source
***************
*** 256,261 ****
--- 257,269 ----
M crypto c 47 0
;;
+ ipl)
+ M ipl c 45 0 600
+ M ipnat c 45 1 600
+ M ipstate c 45 2 600
+ M ipauth c 45 3 600
+ ;;
+
pf*)
M pf c 39 0 600
;;
***************
*** 456,461 ****
--- 464,470 ----
R local wscons pci iop0 iop1 usbs tuner0 radio0 audio0 uk0
R random lkm tty00 tty01 tty02 tty03 apm crypto pf systrace
R wd0 wd1 wd2 wd3 raid0 raid1 raid2 raid3 std st0 st1 fd
+ R ipl
;;
wd*|sd*|raid*|ccd*)
Index: etc/etc.macppc/MAKEDEV.md
===================================================================
RCS file: /cvs/src/etc/etc.macppc/MAKEDEV.md,v
retrieving revision 1.10
diff -c -r1.10 MAKEDEV.md
*** etc/etc.macppc/MAKEDEV.md 5 Dec 2002 04:30:21 -0000 1.10
--- etc/etc.macppc/MAKEDEV.md 8 Jun 2003 07:40:30 -0000
***************
*** 74,79 ****
--- 74,83 ----
_DEV(xfs, 51)
_DEV(iop, 73)
_DEV(pf, 39)
+ _DEV(ipl, 45)
+ _DEV(ipnat, 45)
+ _DEV(ipstate, 45)
+ _DEV(ipauth, 45)
_DEV(cry, 47)
_DEV(usbs)
_DEV(pci, 71)
Index: etc/etc.mvme68k/MAKEDEV
===================================================================
RCS file: /cvs/src/etc/etc.mvme68k/MAKEDEV,v
retrieving revision 1.51
diff -c -r1.51 MAKEDEV
*** etc/etc.mvme68k/MAKEDEV 6 Jan 2003 17:19:59 -0000 1.51
--- etc/etc.mvme68k/MAKEDEV 8 Jun 2003 07:40:30 -0000
***************
*** 60,65 ****
--- 60,66 ----
# fd makes fd/* for the fdescfs
# bpf* Berkeley Packet Filter
# tun* network tunnel driver
+ # ipl IP Packet Filter
# pf* Packet Filter
# lkm loadable kernel modules interface
# *random inkernel random data source
***************
*** 253,258 ****
--- 254,266 ----
M bpf$U c 22 $U 600
;;
+ ipl)
+ M ipl c 44 0 600
+ M ipnat c 44 1 600
+ M ipstate c 44 2 600
+ M ipauth c 44 3 600
+ ;;
+
fd)
RMlist="mkdir -p fd;$RMlist" n=0
while [ $n -lt 64 ];do M fd/$n c 21 $n;n=$(($n+1));done
***************
*** 389,394 ****
--- 397,403 ----
R tun3 bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 pty0
R pty1 pty2 xfs0 ss0 ss1 vmel0 vmes0 flash0 nvram0 sram0 uk0
R random lkm pf systrace std st0 st1 fd
+ R ipl
;;
sd*|ccd*)
Index: etc/etc.mvme68k/MAKEDEV.md
===================================================================
RCS file: /cvs/src/etc/etc.mvme68k/MAKEDEV.md,v
retrieving revision 1.7
diff -c -r1.7 MAKEDEV.md
*** etc/etc.mvme68k/MAKEDEV.md 5 Dec 2002 04:30:21 -0000 1.7
--- etc/etc.mvme68k/MAKEDEV.md 8 Jun 2003 07:40:31 -0000
***************
*** 175,177 ****
--- 175,186 ----
_std(1, 2, 43, 3, 6)
;;
+ ipl)
+ rm -f ipl ipnat ipstate ipauth
+ mknod ipl c 44 0
+ mknod ipnat c 44 1
+ mknod ipstate c 44 2
+ mknod ipauth c 44 3
+ chown root.wheel ipl ipnat ipstate ipauth
+ ;;
+
Index: etc/etc.mvme88k/MAKEDEV
===================================================================
RCS file: /cvs/src/etc/etc.mvme88k/MAKEDEV,v
retrieving revision 1.28
diff -c -r1.28 MAKEDEV
*** etc/etc.mvme88k/MAKEDEV 6 Jan 2003 17:19:59 -0000 1.28
--- etc/etc.mvme88k/MAKEDEV 8 Jun 2003 07:40:31 -0000
***************
*** 55,60 ****
--- 55,61 ----
# fd makes fd/* for the fdescfs
# bpf* Berkeley Packet Filter
# tun* network tunnel driver
+ # ipl IP Packet Filter
# pf* Packet Filter
# lkm loadable kernel modules interface
# *random inkernel random data source
***************
*** 243,248 ****
--- 244,256 ----
M bpf$U c 22 $U 600
;;
+ ipl)
+ M ipl c 41 0 600
+ M ipnat c 41 1 600
+ M ipstate c 41 2 600
+ M ipauth c 41 3 600
+ ;;
+
fd)
RMlist="mkdir -p fd;$RMlist" n=0
while [ $n -lt 64 ];do M fd/$n c 21 $n;n=$(($n+1));done
***************
*** 345,350 ****
--- 353,359 ----
R tun2 tun3 bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9
R pty0 pty1 pty2 xfs0 vmel0 vmes0 nvram0 sram0 random lkm pf
R systrace std st0 st1 fd
+ R ipl
;;
sd*|ccd*)
Index: etc/etc.mvme88k/MAKEDEV.md
===================================================================
RCS file: /cvs/src/etc/etc.mvme88k/MAKEDEV.md,v
retrieving revision 1.6
diff -c -r1.6 MAKEDEV.md
*** etc/etc.mvme88k/MAKEDEV.md 5 Dec 2002 04:30:21 -0000 1.6
--- etc/etc.mvme88k/MAKEDEV.md 8 Jun 2003 07:40:32 -0000
***************
*** 144,146 ****
--- 144,155 ----
_std(1, 2, 43, 3, 6)
;;
+ ipl)
+ rm -f ipl ipnat ipstate ipauth
+ mknod ipl c 41 0
+ mknod ipnat c 41 1
+ mknod ipstate c 41 2
+ mknod ipauth c 41 3
+ chown root.wheel ipl ipnat ipstate ipauth
+ ;;
+
Index: etc/etc.mvmeppc/MAKEDEV
===================================================================
RCS file: /cvs/src/etc/etc.mvmeppc/MAKEDEV,v
retrieving revision 1.10
diff -c -r1.10 MAKEDEV
*** etc/etc.mvmeppc/MAKEDEV 6 Jan 2003 05:57:39 -0000 1.10
--- etc/etc.mvmeppc/MAKEDEV 8 Jun 2003 07:40:34 -0000
***************
*** 73,78 ****
--- 73,79 ----
# audio* audio
# ch* SCSI media changer
# bpf* Berkeley Packet Filter
+ # ipl IP Filter
# tun* network tunnel driver
# lkm loadable kernel modules interface
# *random inkernal random data source
***************
*** 156,162 ****
sh $this ttyC0 ttyCcfg
sh $this tty00 tty01 tty02 tty03 pty0 pty1
sh $this bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9
! sh $this pf tun0 tun1 tun2 tun3
sh $this audio0
sh $this random uk0 uk1 ss0 ss1
sh $this wscons
--- 157,163 ----
sh $this ttyC0 ttyCcfg
sh $this tty00 tty01 tty02 tty03 pty0 pty1
sh $this bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9
! sh $this ipl pf tun0 tun1 tun2 tun3
sh $this audio0
sh $this random uk0 uk1 ss0 ss1
sh $this wscons
***************
*** 522,527 ****
--- 523,538 ----
rm -f bpf${unit}
mknod bpf${unit} c 22 ${unit}
chown root.wheel bpf${unit}
+ ;;
+
+ ipl)
+ rm -f ipl ipnat ipstate ipauth
+ mknod ipl c 44 0
+ mknod ipnat c 44 1
+ mknod ipstate c 44 2
+ mknod ipauth c 44 3
+ chown root.wheel ipl ipnat ipstate ipauth
+ chmod 600 ipl ipnat ipstate ipauth
;;
pf)
Index: etc/etc.sparc/MAKEDEV
===================================================================
RCS file: /cvs/src/etc/etc.sparc/MAKEDEV,v
retrieving revision 1.106
diff -c -r1.106 MAKEDEV
*** etc/etc.sparc/MAKEDEV 6 Jan 2003 17:19:59 -0000 1.106
--- etc/etc.sparc/MAKEDEV 8 Jun 2003 07:40:34 -0000
***************
*** 67,72 ****
--- 67,73 ----
# audio* audio device
# openprom
# bpf* Berkeley Packet Filter
+ # ipl IP Filter
# pf* Packet Filter
# lkm loadable kernel modules interface
# tun* network tunnel driver
***************
*** 288,293 ****
--- 289,301 ----
M lkm c 112 0 640 _lkm
;;
+ ipl)
+ M ipl c 60 0 600
+ M ipnat c 60 1 600
+ M ipstate c 60 2 600
+ M ipauth c 60 3 600
+ ;;
+
pf*)
M pf c 59 0 600
;;
***************
*** 474,479 ****
--- 482,488 ----
R fd0F fd0G fd0H xfs0 ss0 ss1 ch0 ses0 cuaa cuab cuac cuad
R ttya ttyb ttyc ttyd wscons audio0 uk0 random lkm pf systrace
R xd0 xd1 xd2 xd3 raid0 raid1 raid2 raid3 std st0 st1 fd
+ R ipl
;;
xd*|xy*|sd*|raid*|ccd*)
Index: etc/etc.sparc/MAKEDEV.md
===================================================================
RCS file: /cvs/src/etc/etc.sparc/MAKEDEV.md,v
retrieving revision 1.16
diff -c -r1.16 MAKEDEV.md
*** etc/etc.sparc/MAKEDEV.md 5 Dec 2002 04:30:21 -0000 1.16
--- etc/etc.sparc/MAKEDEV.md 8 Jun 2003 07:40:34 -0000
***************
*** 92,97 ****
--- 92,101 ----
_DEV(oppr)
_DEV(bpf, 105)
_DEV(pf, 59)
+ _DEV(ipl, 60)
+ _DEV(ipnat, 60)
+ _DEV(ipstate, 60)
+ _DEV(ipauth, 60)
_DEV(lkm, 112)
_DEV(tun, 111)
_DEV(rnd, 119)
Index: etc/etc.sparc64/MAKEDEV
===================================================================
RCS file: /cvs/src/etc/etc.sparc64/MAKEDEV,v
retrieving revision 1.78
diff -c -r1.78 MAKEDEV
*** etc/etc.sparc64/MAKEDEV 6 Jan 2003 17:19:59 -0000 1.78
--- etc/etc.sparc64/MAKEDEV 8 Jun 2003 07:40:35 -0000
***************
*** 84,89 ****
--- 84,90 ----
# ss* SCSI scanners
# uk* SCSI Unknown device
# audio* audio device
+ # ipl IP Filter
# pf* Packet Filter
# bpf* Berkeley Packet Filter
# tun* network tunnel driver
***************
*** 317,322 ****
--- 318,330 ----
M bpf$U c 105 $U 600
;;
+ ipl)
+ M ipl c 82 0 600
+ M ipnat c 82 1 600
+ M ipstate c 82 2 600
+ M ipauth c 82 3 600
+ ;;
+
pf*)
M pf c 73 0 600
;;
***************
*** 561,567 ****
R ccd3 wscons pci usbs audio0 uk0 random lpa0 lpa1 lpa2 lpt0
R lpt1 lpt2 lkm tty00 tty01 tty02 tty03 ttyh0 ttyh1 crypto pf
R systrace wd0 wd1 wd2 wd3 raid0 raid1 raid2 raid3 std st0 st1
! R fd
;;
wd*|sd*|raid*|ccd*)
--- 569,575 ----
R ccd3 wscons pci usbs audio0 uk0 random lpa0 lpa1 lpa2 lpt0
R lpt1 lpt2 lkm tty00 tty01 tty02 tty03 ttyh0 ttyh1 crypto pf
R systrace wd0 wd1 wd2 wd3 raid0 raid1 raid2 raid3 std st0 st1
! R ipl fd
;;
wd*|sd*|raid*|ccd*)
Index: etc/etc.sparc64/MAKEDEV.md
===================================================================
RCS file: /cvs/src/etc/etc.sparc64/MAKEDEV.md,v
retrieving revision 1.25
diff -c -r1.25 MAKEDEV.md
*** etc/etc.sparc64/MAKEDEV.md 5 Dec 2002 04:30:21 -0000 1.25
--- etc/etc.sparc64/MAKEDEV.md 8 Jun 2003 07:40:36 -0000
***************
*** 104,109 ****
--- 104,113 ----
_DEV(uk, 60)
_DEV(au, 69)
_DEV(pf, 73)
+ _DEV(ipl, 82)
+ _DEV(ipstate, 82)
+ _DEV(ipnat, 82)
+ _DEV(ipauth, 82)
_DEV(bpf, 105)
_DEV(tun, 111)
_DEV(lkm, 112)
Index: etc/etc.vax/MAKEDEV
===================================================================
RCS file: /cvs/src/etc/etc.vax/MAKEDEV,v
retrieving revision 1.50
diff -c -r1.50 MAKEDEV
*** etc/etc.vax/MAKEDEV 6 Jan 2003 05:57:40 -0000 1.50
--- etc/etc.vax/MAKEDEV 8 Jun 2003 07:40:37 -0000
***************
*** 56,61 ****
--- 56,62 ----
# qv* qvss (microvax) display
# lkm loadable kernel modules
# bpf* berkeley packet filter
+ # ipl IP Filter
# tun* network tunnel device
# ss* SCSI scanner
# uk* SCSI unknown
***************
*** 78,83 ****
--- 79,85 ----
sh $0 dz0 dl0 dhu0 rx0 rx1 raid0 raid1 raid2 raid3
sh $0 ttyg0 ttyg1 ttyg2 ttyg3
sh $0 crl std-extra systrace
+ sh $0 ipl
;;
floppy)
***************
*** 615,620 ****
--- 617,632 ----
mknod bpf$unit c 56 $unit
chmod 600 bpf$unit
chown root.wheel bpf$unit
+ ;;
+
+ ipl)
+ rm -f ipl ipnat ipstate ipauth
+ mknod ipl c 47 0
+ mknod ipnat c 47 1
+ mknod ipstate c 47 2
+ mknod ipauth c 47 3
+ chown root.wheel ipl ipnat ipstate ipauth
+ chmod 600 ipl ipnat ipstate ipauth
;;
qd*)
Index: etc/etc.vax/MAKEDEV.md
===================================================================
RCS file: /cvs/src/etc/etc.vax/MAKEDEV.md,v
retrieving revision 1.12
diff -c -r1.12 MAKEDEV.md
*** etc/etc.vax/MAKEDEV.md 5 Dec 2002 04:30:21 -0000 1.12
--- etc/etc.vax/MAKEDEV.md 8 Jun 2003 07:40:37 -0000
***************
*** 151,156 ****
--- 151,160 ----
_DEV(oppr)
_DEV(bpf, 56)
_DEV(pf, 42)
+ _DEV(ipl, 47)
+ _DEV(ipstate, 47)
+ _DEV(ipnat, 47)
+ _DEV(ipauth, 47)
_DEV(lkm, 28)
_DEV(tun, 57)
_DEV(rnd, 67)

91
dist/ipf/OpenBSD-3/3.4-rc-diffs vendored Normal file
View File

@ -0,0 +1,91 @@
diff -c tmp/etc/netstart etc/netstart
*** tmp/etc/netstart 16 Feb 2003 23:25:40 -0000 1.86
--- etc/netstart 8 Jun 2003 07:40:21 -0000
***************
*** 181,186 ****
--- 181,196 ----
domainname `cat /etc/defaultdomain`
fi
+ # Configure the IP filter before configuring network interfaces
+ if [ X"${ipfilter}" = X"YES" -a -f "${ipfilter_rules}" ]; then
+ echo 'configuring IP filter'
+ ipf -Fa -f ${ipfilter_rules}
+ ipfresync="ipf -y"
+ else
+ ipfilter=NO
+ ipfresync=NO
+ fi
+
# Set the address for the loopback interface.
# It will also initialize IPv6 address for lo0 (::1 and others).
ifconfig lo0 inet localhost
***************
*** 337,339 ****
--- 347,362 ----
bridgestart $if
done
+
+ # Configure NAT after configuring network interfaces
+ if [ "${ipnat}" = "YES" -a "${ipfilter}" = "YES" -a -f "${ipnat_rules}" ]; then
+ echo 'configuring NAT'
+ ipnat -CF -f ${ipnat_rules}
+ else
+ ipnat=NO
+ fi
+
+ # Interfaces have come up so we should do an ipf -y if we're using IP filter.
+ if [ "${ipfresync}" != "NO" ]; then
+ ${ipfresync}
+ fi
diff -c tmp/etc/rc etc/rc
*** tmp/etc/rc 23 Mar 2003 18:45:34 -0000 1.225
--- etc/rc 8 Jun 2003 07:40:22 -0000
***************
*** 220,225 ****
--- 220,229 ----
echo 'starting named'; named $named_flags
fi
+ if [ X"${ipfilter}" = X"YES" -a X"${ipmon_flags}" != X"NO" ]; then
+ echo 'starting ipmon'; ipmon ${ipmon_flags}
+ fi
+
# $isakmpd_flags is imported from /etc/rc.conf;
# If $isakmpd_flags == NO or /etc/isakmpd/isakmpd.policy doesn't exist, then
# isakmpd isn't run.
diff -c tmp/etc/rc.conf etc/rc.conf
*** tmp/etc/rc.conf 10 Mar 2003 01:05:28 -0000 1.86
--- etc/rc.conf 8 Jun 2003 07:40:24 -0000
***************
*** 52,58 ****
lockd=NO
gated=NO
amd=NO
! pf=NO # Packet filter / NAT
portmap=NO # Note: inetd(8) rpc services need portmap too
inetd=YES # almost always needed
check_quotas=YES # NO may be desirable in some YP environments
--- 52,60 ----
lockd=NO
gated=NO
amd=NO
! ipfilter=NO # To enable ipfilter, set to YES
! ipnat=NO # for "YES", ipfilter must also be "YES"
! pf=NO # Enable pf(4) Packet filter / NAT
portmap=NO # Note: inetd(8) rpc services need portmap too
inetd=YES # almost always needed
check_quotas=YES # NO may be desirable in some YP environments
***************
*** 76,81 ****
--- 78,86 ----
nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver
amd_dir=/tmp_mnt # AMD's mount directory
amd_master=/etc/amd/master # AMD 'master' map
+ ipfilter_rules=/etc/ipf.rules # Rules for IP packet filtering with IP Filter
+ ipnat_rules=/etc/ipnat.rules # Rules for Network Address Translation
+ ipmon_flags=-Ds # To disable logging, use ipmon_flags=NO
syslogd_flags= # add more flags, ie. "-u -a /chroot/dev/log"
pf_rules=/etc/pf.conf # Packet filter rules file
pflogd_flags= # add more flags, ie. "-s 256"

1017
dist/ipf/OpenBSD-3/3.4-sys-diffs vendored Normal file
View File

File diff suppressed because it is too large Load Diff

615
dist/ipf/OpenBSD-3/3.5-MAKEDEV-diffs vendored Normal file
View File

@ -0,0 +1,615 @@
--- ./etc/etc.alpha/MAKEDEV Sat Jul 10 12:47:18 2004
+++ ./etc/etc.alpha/MAKEDEV.orig Sun Mar 14 05:38:04 2004
@@ -75,7 +75,6 @@
# music* MIDI devices
# pci PCI bus device
# pf* Packet Filter
-# ipl IP Filter
# rmidi* Raw MIDI devices
# *random In-kernel random data source
# speaker PC speaker
@@ -287,16 +286,6 @@
M rmidi$U c 41 $U 666
;;
-ipl)
- M ipl c 44 0 600
- M ipnat c 44 1 600
- M ipstate c 44 2 600
- M ipauth c 44 3 600
- M ipsync c 44 4 600
- M ipscan c 44 5 600
- M ippool c 44 6 600
- ;;
-
pf*)
M pf c 35 0 600
;;
@@ -514,7 +503,6 @@
R tty00 tty01 tty02 tty03 ttyc0 ttyc1 ttyc2 ttyc3 ttyc4 ttyc5
R ttyc6 ttyc7 ttyB0 ttyB1 ttyB2 ttyB3 ttyB4 ttyB5 pf systrace
R wd0 wd1 wd2 wd3 raid0 raid1 raid2 raid3 std st0 st1 fd
- R ipl
;;
wd*|sd*|raid*|ccd*)
--- ./etc/etc.alpha/MAKEDEV.md Sat Jul 10 12:42:14 2004
+++ ./etc/etc.alpha/MAKEDEV.md.orig Sun Mar 14 05:38:04 2004
@@ -64,17 +64,10 @@
_DEV(bpf, 11)
_DEV(fdesc, 10)
_DEV(iop, 54)
-_DEV(ipl, 44)
_DEV(lkm, 16)
_DEV(music, 42)
_DEV(pci, 52)
_DEV(pf, 35)
-_DEV(ipnat, 44)
-_DEV(ipstate, 44)
-_DEV(ipauth, 44)
-_DEV(ipsync, 44)
-_DEV(ipscan, 44)
-_DEV(iplookup, 44)
_DEV(rmidi, 41)
_DEV(rnd, 34)
_DEV(speak, 40)
--- ./etc/etc.hp300/MAKEDEV Sat Jul 10 12:48:22 2004
+++ ./etc/etc.hp300/MAKEDEV.orig Sun Mar 14 05:38:05 2004
@@ -55,7 +55,6 @@
# Special purpose devices:
# bpf* Berkeley Packet Filter
# fd fd/* nodes for fdescfs
-# ipl IP Filter
# hil HP-HIL input devices
# lkm Loadable kernel modules interface
# pf* Packet Filter
@@ -329,16 +328,6 @@
done
;;
-ipl)
- M ipl c 37 0 600
- M ipnat c 37 1 600
- M ipstate c 37 2 600
- M ipauth c 37 3 600
- M ipsync c 37 4 600
- M ipscan c 37 5 600
- M iplookup c 37 6 600
- ;;
-
pf*)
M pf c 33 0 600
;;
@@ -422,7 +411,6 @@
R sd2 sd3 sd4 rd0 tun0 tun1 tun2 tun3 bpf0 bpf1 bpf2 bpf3 bpf4
R bpf5 bpf6 bpf7 bpf8 bpf9 pty0 pty1 pty2 xfs0 ptm local ppi0
R apci0 random lkm pf systrace std fd
- R ipl
;;
sd*|hd*|ccd*)
--- ./etc/etc.hp300/MAKEDEV.md Sat Jul 10 12:42:23 2004
+++ ./etc/etc.hp300/MAKEDEV.md.orig Sun Mar 14 05:38:05 2004
@@ -79,7 +79,6 @@
_DEV(bpf, 22)
_DEV(fdesc, 21)
_DEV(hil, 14)
-_DEV(ipl, 37)
_DEV(lkm, 24)
_DEV(pf, 33)
_DEV(rnd, 32)
--- ./etc/etc.hppa/MAKEDEV Sat Jul 10 13:00:06 2004
+++ ./etc/etc.hppa/MAKEDEV.orig Sun Mar 14 05:38:05 2004
@@ -59,7 +59,6 @@
# bpf* Berkeley Packet Filter
# crypto Hardware crypto access driver
# fd fd/* nodes for fdescfs
-# ipl IP Filter
# lkm Loadable kernel modules interface
# pci PCI bus device
# pdc PDC device
@@ -259,16 +258,6 @@
done
;;
-ipl)
- M ipl c 39 0 600
- M ipnat c 39 1 600
- M ipstate c 39 2 600
- M ipauth c 39 3 600
- M ipsync c 39 4 600
- M ipscan c 39 5 600
- M iplookup c 39 6 600
- ;;
-
pf*)
M pf c 21 0 600
;;
@@ -443,7 +432,7 @@
R fd1E fd1F fd1G fd1H fd0 fd0B fd0C fd0D fd0E fd0F fd0G fd0H
R xfs0 ss0 ss1 ch0 ses0 ptm local wscons pci audio0 uk0 random
R lpa0 lpa1 lpa2 lpt0 lpt1 lpt2 lkm tty00 tty01 tty02 tty03
- R crypto pf systrace std st0 st1 fd ipl
+ R crypto pf systrace std st0 st1 fd
;;
sd*|ccd*)
--- ./etc/etc.hppa/MAKEDEV.md Sat Jul 10 12:42:27 2004
+++ ./etc/etc.hppa/MAKEDEV.md.orig Sat Feb 21 15:05:04 2004
@@ -53,7 +53,6 @@
_DEV(bpf, 17)
_DEV(cry, 36)
_DEV(fdesc, 16)
-_DEV(ipl, 39)
_DEV(lkm, 19)
_DEV(pci, 31)
_DEV(pdc, 22)
--- ./etc/etc.i386/MAKEDEV Sat Jul 10 12:50:08 2004
+++ ./etc/etc.i386/MAKEDEV.orig Sun Mar 14 05:38:05 2004
@@ -80,7 +80,6 @@
# fd fd/* nodes for fdescfs
# gpr* GPR400 smartcard reader
# iop* I2O controller devices
-# ipl IP Filter
# joy* Joystick driver
# lkm Loadable kernel modules interface
# music* MIDI devices
@@ -309,16 +308,6 @@
MKlist="$MKlist;[ -e radio ] || ln -s radio$U radio"
;;
-ipl)
- M ipl c 82 0 600
- M ipnat c 82 1 600
- M ipstate c 82 2 600
- M ipauth c 82 3 600
- M ipsync c 82 4 600
- M ipscan c 82 5 600
- M iplookup c 82 6 600
- ;;
-
pf*)
M pf c 73 0 600
;;
@@ -586,7 +575,7 @@
R random joy0 joy1 lpa0 lpa1 lpa2 lpt0 lpt1 lpt2 lkm tty00
R tty01 tty02 tty03 ttyc0 ttyc1 ttyc2 ttyc3 ttyc4 ttyc5 ttyc6
R ttyc7 apm crypto pf pctr systrace wd0 wd1 wd2 wd3 raid0
- R raid1 raid2 raid3 std st0 st1 fd mcd0 ipl
+ R raid1 raid2 raid3 std st0 st1 fd mcd0
;;
wd*|sd*|raid*|ccd*)
--- ./etc/etc.i386/MAKEDEV.md Sat Jul 10 12:42:30 2004
+++ ./etc/etc.i386/MAKEDEV.md.orig Sun Mar 14 05:38:05 2004
@@ -73,7 +73,6 @@
_DEV(fdesc, 22)
_DEV(gpr, 80)
_DEV(iop, 75)
-_DEV(ipl, 82)
_DEV(joy, 26)
_DEV(lkm, 28)
_DEV(music, 53)
--- ./etc/etc.mac68k/MAKEDEV Sat Jul 10 12:50:48 2004
+++ ./etc/etc.mac68k/MAKEDEV.orig Sun Mar 14 05:38:06 2004
@@ -52,7 +52,6 @@
# asc* ASC Audio device
# bpf* Berkeley Packet Filter
# fd fd/* nodes for fdescfs
-# ipl IP Filter
# lkm Loadable kernel modules interface
# pf* Packet Filter
# *random In-kernel random data source
@@ -281,16 +280,6 @@
done
;;
-ipl)
- M ipl c 38 0 600
- M ipnat c 38 1 600
- M ipstate c 38 2 600
- M ipauth c 38 3 600
- M ipsync c 38 4 600
- M ipscan c 38 5 600
- M iplookup c 38 6 600
- ;;
-
pf*)
M pf c 35 0 600
;;
@@ -381,7 +370,6 @@
R pty2 xfs0 ss0 ss1 ch0 vnd0 vnd1 vnd2 vnd3 sd0 sd1 sd2 sd3
R sd4 ptm local grf0 grf1 grf2 grf3 adb asc0 uk0 random lkm
R tty00 tty01 pf systrace std st0 st1 fd
- R ipl
;;
sd*|ccd*)
--- ./etc/etc.mac68k/MAKEDEV.md Sat Jul 10 12:42:34 2004
+++ ./etc/etc.mac68k/MAKEDEV.md.orig Sat Feb 21 15:05:05 2004
@@ -50,7 +50,6 @@
_DEV(asc, 36)
_DEV(bpf, 22)
_DEV(fdesc, 21)
-_DEV(ipl, 38)
_DEV(lkm, 25)
_DEV(pf, 35)
_DEV(rnd, 32)
--- ./etc/etc.macppc/MAKEDEV Sat Jul 10 12:51:17 2004
+++ ./etc/etc.macppc/MAKEDEV.orig Sun Mar 14 05:38:06 2004
@@ -70,7 +70,6 @@
# crypto Hardware crypto access driver
# fd fd/* nodes for fdescfs
# iop* I2O controller devices
-# ipl IP Filter
# lkm Loadable kernel modules interface
# pci PCI bus device
# pf* Packet Filter
@@ -273,16 +272,6 @@
MKlist="$MKlist;[ -e radio ] || ln -s radio$U radio"
;;
-ipl)
- M ipl c 45 0 600
- M ipnat c 45 1 600
- M ipstate c 45 2 600
- M ipauth c 45 3 600
- M ipsync c 45 4 600
- M ipscan c 45 5 600
- M iplookup c 45 6 600
- ;;
-
pf*)
M pf c 39 0 600
;;
@@ -479,7 +468,6 @@
R local wscons pci iop0 iop1 uall tuner0 radio0 audio0 uk0
R random lkm tty00 tty01 tty02 tty03 apm crypto pf systrace
R wd0 wd1 wd2 wd3 raid0 raid1 raid2 raid3 std st0 st1 fd
- R ipl
;;
wd*|sd*|raid*|ccd*)
--- ./etc/etc.macppc/MAKEDEV.md Sat Jul 10 12:38:34 2004
+++ ./etc/etc.macppc/MAKEDEV.md.orig Sun Mar 14 05:38:06 2004
@@ -66,7 +66,6 @@
_DEV(lkm, 24)
_DEV(pci, 71)
_DEV(pf, 39)
-_DEV(mapppc, 45)
_DEV(radio, 76)
_DEV(rnd, 40)
_DEV(ss, 42)
--- ./etc/etc.mvme68k/MAKEDEV Sat Jul 10 13:00:11 2004
+++ ./etc/etc.mvme68k/MAKEDEV.orig Sun Mar 14 05:38:06 2004
@@ -53,7 +53,6 @@
# bpf* Berkeley Packet Filter
# fd fd/* nodes for fdescfs
# flash0 On-board flash memory
-# ipl IP Filter
# lkm Loadable kernel modules interface
# nvram0 On-board non-volatile memory
# pf* Packet Filter
@@ -274,16 +273,6 @@
M flash0 c 11 0 640 kmem
;;
-ipl)
- M ipl c 45 0 600
- M ipnat c 45 1 600
- M ipstate c 45 2 600
- M ipauth c 45 3 600
- M ipsync c 45 4 600
- M ipscan c 45 5 600
- M iplookup c 45 6 600
- ;;
-
fd)
RMlist="mkdir -p fd;$RMlist" n=0
while [ $n -lt 64 ];do M fd/$n c 21 $n;n=$(($n+1));done
@@ -419,7 +408,7 @@
R vnd2 vnd3 sd0 sd1 sd2 sd3 sd4 cd0 cd1 rd0 tun0 tun1 tun2
R tun3 bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 pty0
R pty1 pty2 xfs0 ss0 ss1 ch0 vmel0 vmes0 flash0 nvram0 sram0
- R ptm local uk0 random lkm pf systrace std st0 st1 fd ipl
+ R ptm local uk0 random lkm pf systrace std st0 st1 fd
;;
sd*|ccd*)
--- ./etc/etc.mvme68k/MAKEDEV.md Sat Jul 10 12:42:39 2004
+++ ./etc/etc.mvme68k/MAKEDEV.md.orig Sat Feb 21 15:05:05 2004
@@ -151,7 +151,6 @@
_DEV(bpf, 22)
_DEV(fdesc, 21)
_DEV(flash, 11)
-_DEV(ipl, 45)
_DEV(lkm, 24)
_DEV(nvram, 10)
_DEV(pf, 39)
@@ -169,13 +168,4 @@
dnl
_std(1, 2, 43, 3, 6)
;;
-
-ipl)
- rm -f ipl ipnat ipstate ipauth
- mknod ipl c 44 0
- mknod ipnat c 44 1
- mknod ipstate c 44 2
- mknod ipauth c 44 3
- chown root.wheel ipl ipnat ipstate ipauth
- ;;
--- ./etc/etc.mvme88k/MAKEDEV Sat Jul 10 13:00:13 2004
+++ ./etc/etc.mvme88k/MAKEDEV.orig Sun Mar 14 05:38:06 2004
@@ -49,7 +49,6 @@
# Special purpose devices:
# bpf* Berkeley Packet Filter
# fd fd/* nodes for fdescfs
-# ipl IP Filter
# lkm Loadable kernel modules interface
# nvram0 On-board non-volatile memory
# pf* Packet Filter
@@ -266,16 +265,6 @@
M lkm c 24 0 640 _lkm
;;
-ipl)
- M ipl c 45 0 600
- M ipnat c 45 1 600
- M ipstate c 45 2 600
- M ipauth c 45 3 600
- M ipsync c 45 4 600
- M ipscan c 45 5 600
- M iplookup c 45 6 600
- ;;
-
fd)
RMlist="mkdir -p fd;$RMlist" n=0
while [ $n -lt 64 ];do M fd/$n c 21 $n;n=$(($n+1));done
@@ -388,7 +377,6 @@
R tun0 tun1 tun2 tun3 bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7
R bpf8 bpf9 pty0 pty1 pty2 xfs0 ss0 ch0 vmel0 vmes0 nvram0
R sram0 ptm local uk0 random lkm pf systrace std st0 st1 fd
- R ipl
;;
sd*|ccd*)
--- ./etc/etc.mvme88k/MAKEDEV.md Sat Jul 10 12:42:42 2004
+++ ./etc/etc.mvme88k/MAKEDEV.md.orig Sat Feb 21 15:05:05 2004
@@ -122,7 +122,6 @@
_TITLE(spec)
_DEV(bpf, 22)
_DEV(fdesc, 21)
-_DEV(ipl, 45)
_DEV(lkm, 24)
_DEV(nvram, 10)
_DEV(pf, 39)
@@ -140,13 +139,4 @@
dnl
_std(1, 2, 43, 3, 6)
;;
-
-ipl)
- rm -f ipl ipnat ipstate ipauth
- mknod ipl c 41 0
- mknod ipnat c 41 1
- mknod ipstate c 41 2
- mknod ipauth c 41 3
- chown root.wheel ipl ipnat ipstate ipauth
- ;;
--- ./etc/etc.mvmeppc/MAKEDEV Sat Jul 10 12:58:40 2004
+++ ./etc/etc.mvmeppc/MAKEDEV.orig Sun Oct 26 10:29:33 2003
@@ -73,7 +73,6 @@
# audio* audio
# ch* SCSI media changer
# bpf* Berkeley Packet Filter
-# ipl IP Filter
# tun* network tunnel driver
# lkm loadable kernel modules interface
# *random inkernal random data source
@@ -157,7 +156,7 @@
sh $this ttyC0 ttyCcfg
sh $this tty00 tty01 tty02 tty03 pty0 pty1
sh $this bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9
- sh $this ipl pf tun0 tun1 tun2 tun3
+ sh $this pf tun0 tun1 tun2 tun3
sh $this audio0
sh $this random uk0 uk1 ss0 ss1
sh $this wscons
@@ -523,19 +522,6 @@
rm -f bpf${unit}
mknod bpf${unit} c 22 ${unit}
chown root.wheel bpf${unit}
- ;;
-
-ipl)
- rm -f ipl ipnat ipstate ipauth
- mknod ipl c 44 0
- mknod ipnat c 44 1
- mknod ipstate c 44 2
- mknod ipauth c 44 3
- mknod ipsync c 44 4
- mknod ipscan c 44 5
- mknod iplookup c 44 6
- chown root:wheel ipl ipnat ipstate ipauth ipsync ipscan iplookup
- chmod 600 ipl ipnat ipstate ipauth ipsync ipscan iplookup
;;
pf)
--- ./etc/etc.sparc/MAKEDEV Sat Jul 10 13:00:16 2004
+++ ./etc/etc.sparc/MAKEDEV.orig Sun Mar 14 05:38:07 2004
@@ -64,7 +64,6 @@
# bppmag[mno] Magma parallel port
# bpp[jkl] "spif" parallel port
# fd fd/* nodes for fdescfs
-# ipl IP Filter
# lkm Loadable kernel modules interface
# openprom
# magma* Magma multiport cards
@@ -285,16 +284,6 @@
done
;;
-ipl)
- M ipl c 60 0 600
- M ipnat c 60 1 600
- M ipstate c 60 2 600
- M ipauth c 60 3 600
- M ipsync c 60 4 600
- M ipscan c 60 5 600
- M iplookup c 60 6 600
- ;;
-
pf*)
M pf c 59 0 600
;;
@@ -506,7 +495,7 @@
R fd0C fd0D fd0E fd0F fd0G fd0H xfs0 ss0 ss1 ch0 ses0 cuaa
R cuab cuac cuad ttya ttyb ttyc ttyd ptm local wscons audio0
R uk0 random lkm pf systrace xd0 xd1 xd2 xd3 raid0 raid1 raid2
- R raid3 std st0 st1 fd ipl
+ R raid3 std st0 st1 fd
;;
presto*|xd*|xy*|sd*|raid*|ccd*)
--- ./etc/etc.sparc/MAKEDEV.md Sat Jul 10 12:42:51 2004
+++ ./etc/etc.sparc/MAKEDEV.md.orig Sat Feb 21 15:05:06 2004
@@ -90,7 +90,6 @@
_DEV(bppmag, 101)
_DEV(bppsp, 103)
_DEV(fdesc, 24)
-_DEV(ipl, 60)
_DEV(lkm, 112)
_DEV(oppr)
_DEV(mag, 100)
--- ./etc/etc.sparc64/MAKEDEV Sat Jul 10 12:59:31 2004
+++ ./etc/etc.sparc64/MAKEDEV.orig Sun Mar 14 05:38:07 2004
@@ -78,7 +78,6 @@
# bpp[jkl] "spif" parallel port
# crypto Hardware crypto access driver
# fd fd/* nodes for fdescfs
-# ipl IP Filter
# lkm Loadable kernel modules interface
# magma* Magma multiport cards
# pci PCI bus device
@@ -303,16 +302,6 @@
done
;;
-ipl)
- M ipl c 82 0 600
- M ipnat c 82 1 600
- M ipstate c 82 2 600
- M ipauth c 82 3 600
- M ipsync c 82 4 600
- M ipscan c 82 5 600
- M iplookup c 82 6 600
- ;;
-
pf*)
M pf c 73 0 600
;;
@@ -584,7 +573,7 @@
R ccd2 ccd3 ptm local wscons pci uall audio0 uk0 random lpa0
R lpa1 lpa2 lpt0 lpt1 lpt2 lkm tty00 tty01 tty02 tty03 ttyh0
R ttyh1 crypto pf systrace wd0 wd1 wd2 wd3 raid0 raid1 raid2
- R raid3 std st0 st1 fd ipl
+ R raid3 std st0 st1 fd
;;
wd*|sd*|raid*|ccd*)
--- ./etc/etc.sparc64/MAKEDEV.md Sat Jul 10 12:42:57 2004
+++ ./etc/etc.sparc64/MAKEDEV.md.orig Sun Mar 14 05:38:07 2004
@@ -96,7 +96,6 @@
_DEV(bppsp, 109)
_DEV(cry, 75)
_DEV(fdesc, 24)
--DEV(ipl, 82)
_DEV(lkm, 112)
_DEV(mag, 71)
_DEV(pci, 52)
--- ./etc/etc.vax/MAKEDEV Sat Jul 10 13:00:00 2004
+++ ./etc/etc.vax/MAKEDEV.orig Sun Mar 14 05:38:07 2004
@@ -68,7 +68,6 @@
# Special purpose devices:
# bpf* Berkeley Packet Filter
# fd fd/* nodes for fdescfs
-# ipl IP Filter
# lkm Loadable kernel modules interface
# pf* Packet Filter
# *random In-kernel random data source
@@ -316,16 +315,6 @@
done
;;
-ipl)
- M ipl c 47 0 600
- M ipnat c 47 1 600
- M ipstate c 47 2 600
- M ipauth c 47 3 600
- M ipsync c 47 4 600
- M ipscan c 47 5 600
- M iplookup c 47 6 600
- ;;
-
pf*)
M pf c 42 0 600
;;
@@ -503,7 +492,7 @@
R sd1 sd2 sd3 cd0 tun0 tun1 bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6
R bpf7 pty0 pty1 ss0 ptm local uk0 random lkm pf systrace rx0
R rx1 ra0 ra1 ra2 ra3 hp0 hp1 hp2 hp3 raid0 raid1 raid2 raid3
- R std st0 st1 fd ipl
+ R std st0 st1 fd
;;
up*|sd*|rx*|rl*|rb*|raid*|ra*|hp*|hk*|hd*|ccd*)
--- ./etc/etc.vax/MAKEDEV.md Sat Jul 10 12:41:58 2004
+++ ./etc/etc.vax/MAKEDEV.md.orig Sat Feb 21 15:05:07 2004
@@ -144,7 +144,6 @@
_TITLE(spec)
_DEV(bpf, 56)
_DEV(fdesc, 53)
-_DEV(ipl, 47)
_DEV(lkm, 28)
_DEV(pf, 42)
_DEV(rnd, 67)
--- ./etc/MAKEDEV.common Sat Jul 10 12:19:30 2004
+++ ./etc/MAKEDEV.common.orig Sat Jul 10 12:28:18 2004
@@ -123,13 +123,6 @@
target(all, pctr)dnl
target(all, pctr0)dnl
target(all, pf)dnl
-target(all, ipl)dnl
-target(all, ipnat)dnl
-target(all, ipstate)dnl
-target(all, ipauth)dnl
-target(all, ipsync)dnl
-target(all, ipscan)dnl
-target(all, iplookup)dnl
twrget(all, cry, crypto)dnl
target(all, apm)dnl
twrget(all, tth, ttyh, 0, 1)dnl
@@ -479,20 +472,6 @@
_mkdev(cry, crypto, {-M crypto c major_cry_c-} 0)dnl
__devitem(pf, pf*, Packet Filter)dnl
_mkdev(pf, {-pf*-}, {-M pf c major_pf_c 0 600-})dnl
-__devitem(ipl, ipl*, Packet Filter log)dnl
-_mkdev(ipl, {-ipl*-}, {-M ipl c major_ipl_c 0 600-})dnl
-__devitem(ipnat, ipnat*, Packet Filter NAT)dnl
-_mkdev(ipnat, {-ipnat*-}, {-M ipnat c major_ipnat_c 1 600-})dnl
-__devitem(ipstate, ipstate*, Packet Filter state)dnl
-_mkdev(ipstate, {-ipstate*-}, {-M ipstate c major_ipstate_c 2 600-})dnl
-__devitem(ipauth, ipauth*, Packet Filter auth)dnl
-_mkdev(ipauth, {-ipauth*-}, {-M ipauth c major_ipauth_c 3 600-})dnl
-__devitem(ipsync, ipsync*, Packet Filter auth)dnl
-_mkdev(ipsync, {-ipsync*-}, {-M ipsync c major_ipsync_c 4 600-})dnl
-__devitem(ipscan, ipscan*, Packet Filter auth)dnl
-_mkdev(ipscan, {-ipscan*-}, {-M ipscan c major_ipscan_c 5 600-})dnl
-__devitem(iplookup, iplookup*, Packet Filter auth)dnl
-_mkdev(iplookup, {-iplookup*-}, {-M iplookup c major_iplookup_c 6 600-})dnl
__devitem(bpf, bpf*, Berkeley Packet Filter)dnl
_mkdev(bpf, {-bpf*-}, {-M bpf$U c major_bpf_c $U 600-}, 600)dnl
_mkdev(tun, {-tun*-}, {-M tun$U c major_tun_c $U 600-}, 600)dnl

91
dist/ipf/OpenBSD-3/3.5-rc-diffs vendored Normal file
View File

@ -0,0 +1,91 @@
diff -c tmp/etc/netstart etc/netstart
*** etc/netstart.orig Tue Mar 23 10:15:38 2004
--- etc/netstart Sat Jul 10 11:56:56 2004
***************
*** 194,199 ****
--- 194,209 ----
domainname `cat /etc/defaultdomain`
fi
+ # Configure the IP filter before configuring network interfaces
+ if [ X"${ipfilter}" = X"YES" -a -f "${ipfilter_rules}" ]; then
+ echo 'configuring IP filter'
+ ipf -Fa -f ${ipfilter_rules}
+ ipfresync="ipf -y"
+ else
+ ipfilter=NO
+ ipfresync=NO
+ fi
+
# Set the address for the loopback interface. Bringing the
# interface up, automatically invokes the IPv6 address ::1)
ifconfig lo0 inet 127.0.0.1
***************
*** 354,356 ****
--- 364,379 ----
bridgestart $if
done
+
+ # Configure NAT after configuring network interfaces
+ if [ "${ipnat}" = "YES" -a "${ipfilter}" = "YES" -a -f "${ipnat_rules}" ]; then
+ echo 'configuring NAT'
+ ipnat -CF -f ${ipnat_rules}
+ else
+ ipnat=NO
+ fi
+
+ # Interfaces have come up so we should do an ipf -y if we're using IP filter.
+ if [ "${ipfresync}" != "NO" ]; then
+ ${ipfresync}
+ fi
diff -c tmp/etc/rc etc/rc
*** tmp/etc/rc 23 Mar 2003 18:45:34 -0000 1.225
--- etc/rc 8 Jun 2003 07:40:22 -0000
***************
*** 220,225 ****
--- 220,229 ----
echo 'starting named'; named $named_flags
fi
+ if [ X"${ipfilter}" = X"YES" -a X"${ipmon_flags}" != X"NO" ]; then
+ echo 'starting ipmon'; ipmon ${ipmon_flags}
+ fi
+
# $isakmpd_flags is imported from /etc/rc.conf;
# If $isakmpd_flags == NO or /etc/isakmpd/isakmpd.policy doesn't exist, then
# isakmpd isn't run.
diff -c tmp/etc/rc.conf etc/rc.conf
*** tmp/etc/rc.conf 10 Mar 2003 01:05:28 -0000 1.86
--- etc/rc.conf 8 Jun 2003 07:40:24 -0000
***************
*** 52,58 ****
lockd=NO
gated=NO
amd=NO
! pf=NO # Packet filter / NAT
portmap=NO # Note: inetd(8) rpc services need portmap too
inetd=YES # almost always needed
check_quotas=YES # NO may be desirable in some YP environments
--- 52,60 ----
lockd=NO
gated=NO
amd=NO
! ipfilter=NO # To enable ipfilter, set to YES
! ipnat=NO # for "YES", ipfilter must also be "YES"
! pf=NO # Enable pf(4) Packet filter / NAT
portmap=NO # Note: inetd(8) rpc services need portmap too
inetd=YES # almost always needed
check_quotas=YES # NO may be desirable in some YP environments
***************
*** 76,81 ****
--- 78,86 ----
nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver
amd_dir=/tmp_mnt # AMD's mount directory
amd_master=/etc/amd/master # AMD 'master' map
+ ipfilter_rules=/etc/ipf.rules # Rules for IP packet filtering with IP Filter
+ ipnat_rules=/etc/ipnat.rules # Rules for Network Address Translation
+ ipmon_flags=-Ds # To disable logging, use ipmon_flags=NO
syslogd_flags= # add more flags, ie. "-u -a /chroot/dev/log"
pf_rules=/etc/pf.conf # Packet filter rules file
pflogd_flags= # add more flags, ie. "-s 256"

778
dist/ipf/OpenBSD-3/3.5-sys-diffs vendored Normal file
View File

@ -0,0 +1,778 @@
--- sys/arch/alpha/alpha/conf.c.orig Sat Feb 21 15:09:52 2004
+++ sys/arch/alpha/alpha/conf.c Thu Jul 8 14:04:39 2004
@@ -103,6 +103,11 @@
#include "lpt.h"
cdev_decl(lpt);
cdev_decl(prom); /* XXX XXX XXX */
+#ifdef IPFILTER
+#define NIPF 1
+#else
+#define NIPF 0
+#endif
cdev_decl(wd);
cdev_decl(fd);
#include "cy.h"
@@ -173,7 +178,7 @@
cdev_midi_init(NMIDI,midi), /* 41: MIDI I/O */
cdev_midi_init(NSEQUENCER,sequencer), /* 42: sequencer I/O */
cdev_disk_init(NRAID,raid), /* 43: RAIDframe disk driver */
- cdev_notdef(), /* 44 */
+ cdev_gen_ipf(NIPF,ipl), /* 44: IP filter log */
cdev_usb_init(NUSB,usb), /* 45: USB controller */
cdev_usbdev_init(NUHID,uhid), /* 46: USB generic HID */
cdev_ulpt_init(NULPT,ulpt), /* 47: USB printer */
--- sys/arch/hp300/hp300/conf.c.orig Sat Feb 21 15:10:07 2004
+++ sys/arch/hp300/hp300/conf.c Thu Jul 8 14:04:40 2004
@@ -122,6 +122,12 @@
cdev_decl(xfs_dev);
#endif
+#ifdef IPFILTER
+#define NIPF 1
+#else
+#define NIPF 0
+#endif
+
#include "pf.h"
#include "systrace.h"
@@ -165,7 +171,7 @@
cdev_disk_init(NRD,rd), /* 34: RAM disk */
cdev_tty_init(NAPCI,apci), /* 35: Apollo APCI UARTs */
cdev_ksyms_init(NKSYMS,ksyms), /* 36: Kernel symbols device */
- cdev_notdef(), /* 37 */
+ cdev_pf_init(NIPF,ipl), /* 37: packet filter */
cdev_notdef(), /* 38 */
cdev_notdef(), /* 39 */
cdev_notdef(), /* 40 */
--- sys/arch/hppa/hppa/conf.c.orig Sat Feb 21 15:10:10 2004
+++ sys/arch/hppa/hppa/conf.c Thu Jul 8 14:07:09 2004
@@ -107,6 +107,12 @@
#include "com.h"
cdev_decl(com);
+#ifdef IPFILTER
+#define NIPF 1
+#else
+#define NIPF 0
+#endif
+
#include "pf.h"
#include "systrace.h"
@@ -166,7 +172,7 @@
cdev_crypto_init(NCRYPTO,crypto), /* 36: /dev/crypto */
cdev_ses_init(NSES,ses), /* 37: SCSI SES/SAF-TE */
cdev_ptm_init(NPTY,ptm), /* 38: pseudo-tty ptm device */
- cdev_lkm_dummy(),
+ cdev_gen_ipf(NIPF,ipl), /* 39: ip filtering */
cdev_lkm_dummy(),
cdev_lkm_dummy(),
cdev_lkm_dummy(),
--- sys/arch/i386/i386/conf.c.orig Sat Feb 21 15:10:12 2004
+++ sys/arch/i386/i386/conf.c Thu Jul 8 14:07:28 2004
@@ -185,6 +185,12 @@
#include "radio.h"
#include "gpr.h"
+#ifdef IPFILTER
+#define NIPF 1
+#else
+#define NIPF 0
+#endif
+
/* XXX -- this needs to be supported by config(8)! */
#if (NCOM > 0) && (NPCCOM > 0)
#error com and pccom are mutually exclusive. Sorry.
@@ -310,6 +316,7 @@
cdev_oci_init(NBIO,bio), /* 79: ioctl tunnel */
cdev_ch_init(NGPR,gpr), /* 80: GPR400 SmartCard reader */
cdev_ptm_init(NPTY,ptm), /* 81: pseudo-tty ptm device */
+ cdev_gen_ipf(NIPF,ipl), /* 82: ip filtering */
};
int nchrdev = sizeof(cdevsw) / sizeof(cdevsw[0]);
--- sys/arch/mac68k/mac68k/conf.c.orig Sat Feb 21 15:10:19 2004
+++ sys/arch/mac68k/mac68k/conf.c Thu Jul 8 14:04:40 2004
@@ -104,6 +104,12 @@
cdev_decl(xfs_dev);
#endif
+#ifdef IPFILTER
+#define NIPF 1
+#else
+#define NIPF 0
+#endif
+
#include "pf.h"
#include "systrace.h"
@@ -148,7 +154,7 @@
cdev_pf_init(NPF,pf), /* 35: packet filter */
cdev_audio_init(NASC,asc), /* 36: ASC audio device */
cdev_ksyms_init(NKSYMS,ksyms), /* 37: Kernel symbols device */
- cdev_notdef(), /* 38 */
+ cdev_gen_ipf(NIPF,ipl), /* 38: IP filter log */
cdev_notdef(), /* 39 */
cdev_notdef(), /* 40 */
cdev_notdef(), /* 41 */
--- sys/arch/macppc/macppc/conf.c.orig Sat Feb 21 15:10:20 2004
+++ sys/arch/macppc/macppc/conf.c Thu Jul 8 14:04:40 2004
@@ -105,6 +105,12 @@
#include "tun.h"
+#ifdef IPFILTER
+#define NIPF 1
+#else
+#define NIPF 0
+#endif
+
#ifdef XFS
#include <xfs/nxfs.h>
cdev_decl(xfs_dev);
@@ -191,7 +197,7 @@
cdev_ss_init(NSS,ss), /* 42: SCSI scanner */
cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */
cdev_audio_init(NAUDIO,audio), /* 44: generic audio I/O */
- cdev_notdef(), /* 45 */
+ cdev_gen_ipf(NIPF,ipl), /* 45: IP filter */
cdev_notdef(), /* 46 */
cdev_crypto_init(NCRYPTO,crypto), /* 47: /dev/crypto */
cdev_notdef(), /* 48 */
--- sys/arch/mvme68k/mvme68k/conf.c.orig Sat Feb 21 15:10:21 2004
+++ sys/arch/mvme68k/mvme68k/conf.c Thu Jul 8 14:08:04 2004
@@ -148,6 +148,12 @@
#include "bpfilter.h"
#include "tun.h"
+#ifdef IPFILTER
+#define NIPF 1
+#else
+#define NIPF 0
+#endif
+
#include "pf.h"
#include "systrace.h"
@@ -203,7 +209,7 @@
cdev_ss_init(NSS,ss), /* 42: SCSI scanner */
cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */
cdev_ch_init(NCH,ch), /* 44: SCSI autochanger */
- cdev_lkm_dummy(), /* 45 */
+ cdev_gen_ipf(NIPF,ipl), /* 45: IP filter */
cdev_lkm_dummy(), /* 46 */
cdev_lkm_dummy(), /* 47 */
cdev_lkm_dummy(), /* 48 */
--- sys/arch/mvme88k/mvme88k/conf.c.orig Sat Feb 21 15:10:24 2004
+++ sys/arch/mvme88k/mvme88k/conf.c Thu Jul 8 14:09:53 2004
@@ -99,6 +99,12 @@
cdev_decl(lptwo);
#endif /* notyet */
+#ifdef IPFILTER
+#define NIPF 1
+#else
+#define NIPF 0
+#endif
+
#include "pf.h"
#include "systrace.h"
@@ -189,7 +195,7 @@
cdev_ss_init(NSS,ss), /* 42 */
cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */
cdev_ch_init(NCH,ch), /* 44: SCSI autochanger */
- cdev_notdef(), /* 45 */
+ cdev_gen_ipf(NIPF,ipl), /* 45: IP filter */
cdev_notdef(), /* 46 */
cdev_notdef(), /* 47 */
cdev_notdef(), /* 48 */
--- sys/arch/mvmeppc/mvmeppc/conf.c.orig Sat Feb 21 15:10:29 2004
+++ sys/arch/mvmeppc/mvmeppc/conf.c Thu Jul 8 14:04:41 2004
@@ -112,6 +112,12 @@
#include "ksyms.h"
+#ifdef IPFILTER
+#define NIPF 1
+#else
+#define NIPF 0
+#endif
+
#include "pf.h"
#include "systrace.h"
@@ -165,7 +171,7 @@
cdev_uk_init(NUK,uk), /* 41: unknown SCSI */
cdev_ss_init(NSS,ss), /* 42: SCSI scanner */
cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */
- cdev_notdef(), /* 44 */
+ cdev_gen_ipf(NIPF,ipl), /* 44: IP filter */
cdev_notdef(), /* 45 */
cdev_notdef(), /* 46 */
cdev_notdef(), /* 47 */
--- sys/arch/sparc/sparc/conf.c.orig Sat Feb 21 15:10:36 2004
+++ sys/arch/sparc/sparc/conf.c Thu Jul 8 14:04:41 2004
@@ -124,6 +124,12 @@
};
int nblkdev = sizeof(bdevsw) / sizeof(bdevsw[0]);
+#ifdef IPFILTER
+#define NIPF 1
+#else
+#define NIPF 0
+#endif
+
#include "pf.h"
#include "systrace.h"
@@ -194,7 +200,7 @@
cdev_notdef(), /* 57 */
cdev_disk_init(NCD,cd), /* 58: SCSI CD-ROM */
cdev_pf_init(NPF,pf), /* 59: packet filter */
- cdev_notdef(), /* 60 */
+ cdev_gen_ipf(NIPF,ipl), /* 60: ip filtering log */
cdev_notdef(), /* 61 */
cdev_notdef(), /* 62 */
cdev_notdef(), /* 63 */
--- sys/arch/sparc64/sparc64/conf.c.orig Sat Feb 21 15:10:38 2004
+++ sys/arch/sparc64/sparc64/conf.c Thu Jul 8 14:04:41 2004
@@ -110,6 +110,12 @@
#include "ucom.h"
#include "uscanner.h"
+#ifdef IPFILTER
+#define NIPF 1
+#else
+#define NIPF 0
+#endif
+
#include "pf.h"
#ifdef XFS
@@ -246,7 +252,7 @@
cdev_mouse_init(NWSKBD, wskbd), /* 79: keyboards */
cdev_mouse_init(NWSMOUSE, wsmouse), /* 80: mice */
cdev_mouse_init(NWSMUX, wsmux), /* 81: ws multiplexor */
- cdev_notdef(), /* 82 */
+ cdev_gen_ipf(NIPF,ipl), /* 82: IP filter */
cdev_notdef(), /* 83 */
cdev_notdef(), /* 84 */
cdev_notdef(), /* 85 */
--- sys/arch/vax/vax/conf.c.orig Sat Feb 21 15:10:41 2004
+++ sys/arch/vax/vax/conf.c Thu Jul 8 14:04:41 2004
@@ -353,6 +353,12 @@
#include "wskbd.h"
#include "wsmouse.h"
+#ifdef IPFILTER
+#define NIPF 1
+#else
+#define NIPF 0
+#endif
+
#include "pf.h"
#include "systrace.h"
@@ -406,7 +412,7 @@
cdev_notdef(), /* 44 was Datakit */
cdev_notdef(), /* 45 was Datakit */
cdev_notdef(), /* 46 was Datakit */
- cdev_notdef(), /* 47 */
+ cdev_gen_ipf(NIPF,ipl), /* 47: IP filter */
cdev_notdef(), /* 48 */
cdev_systrace_init(NSYSTRACE,systrace), /* 49: system call tracing */
cdev_ksyms_init(NKSYMS,ksyms), /* 50: Kernel symbols device */
--- sys/arch/amd64/amd64/conf.c.orig Thu Feb 26 06:22:12 2004
+++ sys/arch/amd64/amd64/conf.c Sat Jul 10 12:31:46 2004
@@ -191,6 +191,12 @@
#include "pf.h"
+#ifdef IPFILTER
+#define NIPF 1
+#else
+#define NIPF 0
+#endif
+
struct cdevsw cdevsw[] =
{
cdev_cn_init(1,cn), /* 0: virtual console */
@@ -295,6 +301,7 @@
cdev_oci_init(NBIO,bio), /* 79: ioctl tunnel */
cdev_notdef(), /* 80: gpr? XXX */
cdev_ptm_init(NPTY,ptm), /* 81: pseudo-tty ptm device */
+ cdev_gen_ipf(NIPF, ipl), /* 82: IP Filtering */
};
int nchrdev = sizeof(cdevsw) / sizeof(cdevsw[0]);
--- sys/conf/GENERIC.orig Wed Mar 3 08:23:46 2004
+++ sys/conf/GENERIC Thu Jul 8 14:04:41 2004
@@ -72,6 +72,8 @@
#option EON # OSI tunneling over IP
#option NETATALK # AppleTalk
#option CCITT,LLC,HDLC # X.25
+option IPFILTER # IP packet filter for security
+option IPFILTER_LOG # use /dev/ipl to log IPF
option PPP_BSDCOMP # PPP BSD compression
option PPP_DEFLATE
#option MROUTING # Multicast router
--- sys/conf/files.orig Sun Mar 14 05:44:13 2004
+++ sys/conf/files Thu Jul 8 14:04:41 2004
@@ -719,6 +719,14 @@
file netinet/tcp_usrreq.c inet
file netinet/udp_usrreq.c inet
file netinet/ip_gre.c inet
+file netinet/ip_fil.c ipfilter
+file netinet/fil.c ipfilter
+file netinet/ip_nat.c ipfilter
+file netinet/ip_frag.c ipfilter
+file netinet/ip_state.c ipfilter
+file netinet/ip_proxy.c ipfilter
+file netinet/ip_auth.c ipfilter
+file netinet/ip_log.c ipfilter
file netinet/ip_ipsp.c (inet | inet6) & (ipsec | tcp_signature)
file netinet/ip_spd.c (inet | inet6) & (ipsec | tcp_signature)
file netinet/ip_ipip.c inet | inet6
--- sys/net/bridgestp.c.orig Wed Dec 3 09:00:10 2003
+++ sys/net/bridgestp.c Thu Jul 8 14:04:42 2004
@@ -58,6 +58,11 @@
#include <netinet/in_var.h>
#include <netinet/ip.h>
#include <netinet/if_ether.h>
+
+#ifdef IPFILTER
+#include <netinet/ip_compat.h>
+#include <netinet/ip_fil.h>
+#endif
#endif
#if NBPFILTER > 0
--- sys/net/if.c.orig Sun Feb 29 05:34:01 2004
+++ sys/net/if.c Thu Jul 8 14:04:42 2004
@@ -99,6 +99,12 @@
#include <netinet6/nd6.h>
#endif
+#ifdef IPFILTER
+#include <netinet/ip_compat.h>
+#include <netinet/ip_fil.h>
+#include <netinet/ip_nat.h>
+#endif
+
#if NBPFILTER > 0
#include <net/bpf.h>
#endif
@@ -556,6 +562,11 @@
/* Remove the interface from the list of all interfaces. */
TAILQ_REMOVE(&ifnet, ifp, if_list);
+
+#ifdef IPFILTER
+ /* XXX More ipf & ipnat cleanup needed. */
+ frsync();
+#endif
/*
* Deallocate private resources.
--- sys/net/if_bridge.c.orig Sat Feb 21 15:11:02 2004
+++ sys/net/if_bridge.c Thu Jul 8 14:04:42 2004
@@ -66,7 +66,11 @@
#include <netinet/ip_ipsp.h>
#include <net/if_enc.h>
+#if (defined(IPFILTER) || defined(IPFILTER_LKM))
+#include <netinet/ip_compat.h>
+#include <netinet/ip_fil.h>
#endif
+#endif
#ifdef INET6
#include <netinet/ip6.h>
@@ -152,7 +156,7 @@
int bridge_brlconf(struct bridge_softc *, struct ifbrlconf *);
u_int8_t bridge_filterrule(struct brl_head *, struct ether_header *,
struct mbuf *);
-#if NPF > 0
+#if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM))
struct mbuf *bridge_filter(struct bridge_softc *, int, struct ifnet *,
struct ether_header *, struct mbuf *m);
#endif
@@ -1218,7 +1222,7 @@
m_freem(m);
return;
}
-#if NPF > 0
+#if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM))
m = bridge_filter(sc, BRIDGE_IN, src_if, &eh, m);
if (m == NULL)
return;
@@ -1261,7 +1265,7 @@
m_freem(m);
return;
}
-#if NPF > 0
+#if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM))
m = bridge_filter(sc, BRIDGE_OUT, dst_if, &eh, m);
if (m == NULL)
return;
@@ -1509,7 +1513,7 @@
mc = m1;
}
-#if NPF > 0
+#if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM))
mc = bridge_filter(sc, BRIDGE_OUT, dst_if, eh, mc);
if (mc == NULL)
continue;
@@ -2287,6 +2291,12 @@
* We don't need to do loop detection, the
* bridge will do that for us.
*/
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+ if (dir == BRIDGE_OUT && fr_checkp &&
+ ((*fr_checkp)(ip, hlen, &encif[0].sc_if,
+ 1, &m) || !m))
+ return 1;
+#endif
#if NPF > 0
switch (af) {
#ifdef INET
@@ -2311,6 +2321,12 @@
if (m == NULL)
return (1);
#endif /* NPF */
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+ if (dir == BRIDGE_IN && fr_checkp &&
+ ((*fr_checkp)(ip, hlen, &encif[0].sc_if,
+ 0, &m) || !m))
+ return 1;
+#endif
error = ipsp_process_packet(m, tdb, af, 0);
return (1);
} else
@@ -2321,7 +2337,7 @@
}
#endif /* IPSEC */
-#if NPF > 0
+#if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM))
/*
* Filter IP packets by peeking into the ethernet frame. This violates
* the ISO model, but allows us to act as a IP filter at the data link
@@ -2424,14 +2440,32 @@
return (NULL);
#endif /* IPSEC */
-#if NPF > 0
+#if defined(IPFILTER) || defined(IPFILTER_LKM) || (NPF > 0)
/* Finally, we get to filter the packet! */
m->m_pkthdr.rcvif = ifp;
+#endif
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+ if (dir == BRIDGE_OUT) {
+ if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m))
+ goto dropit;
+ if (m == NULL)
+ goto dropit;
+ }
+#endif
+#if NPF > 0
if (pf_test(dir, ifp, &m) != PF_PASS)
goto dropit;
if (m == NULL)
goto dropit;
#endif /* NPF */
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+ if (dir == BRIDGE_IN) {
+ if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 0, &m))
+ goto dropit;
+ if (m == NULL)
+ goto dropit;
+ }
+#endif
/* Rebuild the IP header */
if (m->m_len < hlen && ((m = m_pullup(m, hlen)) == NULL))
@@ -2472,6 +2506,14 @@
return (NULL);
#endif /* IPSEC */
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+ if (dir == BRIDGE_OUT) {
+ if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m))
+ goto dropit;
+ if (m == NULL)
+ return (NULL);
+ }
+#endif
#if NPF > 0
if (pf_test6(dir, ifp, &m) != PF_PASS)
goto dropit;
@@ -2478,6 +2520,14 @@
if (m == NULL)
return (NULL);
#endif /* NPF */
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+ if (dir == BRIDGE_IN) {
+ if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 0, &m))
+ goto dropit;
+ if (m == NULL)
+ return (NULL);
+ }
+#endif
break;
}
@@ -2509,7 +2559,7 @@
m_freem(m);
return (NULL);
}
-#endif /* NPF > 0 */
+#endif /* (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) */
void
bridge_fragment(struct bridge_softc *sc, struct ifnet *ifp,
--- sys/netinet/in_proto.c.orig Tue Dec 16 15:33:09 2003
+++ sys/netinet/in_proto.c Thu Jul 8 14:04:42 2004
@@ -159,6 +159,11 @@
#include <netinet/ip_mroute.h>
#endif /* MROUTING */
+#ifdef IPFILTER
+void iplinit __P((void));
+#define ip_init iplinit
+#endif
+
#ifdef INET6
#include <netinet6/ip6_var.h>
#endif /* INET6 */
--- sys/netinet/ip_input.c.orig Tue Mar 16 10:36:27 2004
+++ sys/netinet/ip_input.c Thu Jul 8 14:04:42 2004
@@ -149,6 +149,10 @@
struct in_ifaddrhead in_ifaddr;
struct ifqueue ipintrq;
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+#endif
+
int ipq_locked;
static __inline int ipq_lock_try(void);
static __inline void ipq_unlock(void);
@@ -404,6 +408,23 @@
ip = mtod(m, struct ip *);
hlen = ip->ip_hl << 2;
pfrdr = (pfrdr != ip->ip_dst.s_addr);
+#endif
+
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+ /*
+ * Check if we want to allow this packet to be processed.
+ * Consider it to be bad if not.
+ */
+ {
+ struct mbuf *m0 = m;
+ if (fr_checkp && (*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m0)) {
+ return;
+ }
+ if (m0 == 0) { /* in case of 'fastroute' */
+ return;
+ }
+ ip = mtod(m = m0, struct ip *);
+ }
#endif
/*
--- sys/netinet/ip_output.c.orig Sat Feb 21 15:11:04 2004
+++ sys/netinet/ip_output.c Thu Jul 8 14:04:42 2004
@@ -82,6 +82,10 @@
static struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *);
static void ip_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in *);
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+#endif
+
/*
* IP output. The packet in mbuf chain m contains a skeletal IP
* header (with len, off, ttl, proto, tos, src, dst).
@@ -555,7 +559,31 @@
if (sproto != 0) {
s = splnet();
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+ if (fr_checkp) {
/*
+ * Ok, it's time for a simple round-trip to the IPF/NAT
+ * code with the enc0 interface.
+ */
+ struct mbuf *m1 = m;
+ void *ifp = (void *)&encif[0].sc_if;
+
+ if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) {
+ error = EHOSTUNREACH;
+ splx(s);
+ goto done;
+ }
+ if (m1 == 0) { /* in case of 'fastroute' */
+ error = 0;
+ splx(s);
+ goto done;
+ }
+ ip = mtod(m = m1, struct ip *);
+ hlen = ip->ip_hl << 2;
+ }
+#endif /* IPFILTER */
+
+ /*
* Packet filter
*/
#if NPF > 0
@@ -653,6 +681,25 @@
m->m_pkthdr.csum &= ~M_UDPV4_CSUM_OUT; /* Clear */
}
}
+
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+ /*
+ * looks like most checking has been done now...do a filter check
+ */
+ {
+ struct mbuf *m1 = m;
+
+ if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m1)) {
+ error = EHOSTUNREACH;
+ goto done;
+ }
+ if (m1 == 0) { /* in case of 'fastroute' */
+ error = 0;
+ goto done;
+ }
+ ip = mtod(m = m1, struct ip *);
+ }
+#endif
/*
* Packet filter
--- sys/netinet6/ip6_input.c.orig Sat Feb 21 15:11:05 2004
+++ sys/netinet6/ip6_input.c Thu Jul 8 14:04:42 2004
@@ -128,6 +128,10 @@
static int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *);
static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int);
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+#endif
+
/*
* IP6 initialization: fill in IP6 protocol switch table.
* All protocols not implemented in kernel go to raw IP6 protocol handler.
@@ -244,6 +248,26 @@
in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
goto bad;
}
+
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+ /*
+ * Check if we want to allow this packet to be processed.
+ * Consider it to be bad if not.
+ */
+ if (fr_checkp != NULL) {
+ struct mbuf *m0 = m;
+
+ if ((*fr_checkp)((struct ip *)ip6, sizeof(*ip6),
+ m->m_pkthdr.rcvif, 0, &m0)) {
+ return;
+ }
+ m = m0;
+ if (m == 0) { /* in case of 'fastroute' */
+ return;
+ }
+ ip6 = mtod(m, struct ip6_hdr *);
+ }
+#endif
ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
--- sys/netinet6/ip6_output.c.orig Thu Feb 5 08:11:17 2004
+++ sys/netinet6/ip6_output.c Thu Jul 8 14:11:07 2004
@@ -118,6 +118,9 @@
static int ip6_pcbopts(struct ip6_pktopts **, struct mbuf *, struct socket *);
static int ip6_setmoptions(int, struct ip6_moptions **, struct mbuf *);
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+#endif
static int ip6_getmoptions(int, struct ip6_moptions *, struct mbuf **);
static int ip6_copyexthdr(struct mbuf **, caddr_t, int);
static int ip6_insertfraghdr(struct mbuf *, struct mbuf *, int,
@@ -124,7 +127,7 @@
struct ip6_frag **);
static int ip6_insert_jumboopt(struct ip6_exthdrs *, u_int32_t);
static int ip6_splithdr(struct mbuf *, struct ip6_exthdrs *);
-static int ip6_getpmtu(struct route_in6 *, struct route_in6 *,
+int ip6_getpmtu(struct route_in6 *, struct route_in6 *,
struct ifnet *, struct in6_addr *, u_long *, int *);
/*
@@ -797,6 +800,25 @@
goto done;
ip6 = mtod(m, struct ip6_hdr *);
#endif
+
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+ /*
+ * looks like most checking has been done now...do a filter check
+ */
+ if (fr_checkp != NULL) {
+ struct mbuf *m1 = m;
+ if ((*fr_checkp)((struct ip *)ip6, sizeof(*ip6), ifp, 1, &m1)) {
+ error = EHOSTUNREACH;
+ goto done;
+ }
+ m = m1;
+ if (m1 == 0) { /* in case of 'fastroute' */
+ error = 0;
+ goto done;
+ }
+ ip6 = mtod(m, struct ip6_hdr *);
+ }
+#endif
/*
* Send the packet to the outgoing interface.
@@ -1192,7 +1214,7 @@
return (0);
}
-static int
+int
ip6_getpmtu(ro_pmtu, ro, ifp, dst, mtup, alwaysfragp)
struct route_in6 *ro_pmtu, *ro;
struct ifnet *ifp;
--- sys/sys/conf.h.orig Sat Feb 21 15:11:07 2004
+++ sys/sys/conf.h Thu Jul 8 15:11:14 2004
@@ -406,6 +406,13 @@
dev_init(c,n,write), dev_init(c,n,ioctl), (dev_type_stop((*))) enodev, \
0, (dev_type_poll((*))) enodev, (dev_type_mmap((*))) enodev }
+/* open, close, read, ioctl */
+#define cdev_gen_ipf(c, n) { \
+dev_init(c,n,open), dev_init(c,n,close), dev_init(c,n,read), \
+ (dev_type_write((*))) enodev, dev_init(c,n,ioctl), \
+ (dev_type_stop((*))) enodev, 0, (dev_type_poll((*))) enodev, \
+ (dev_type_mmap((*))) enodev }
+
/* open, close, ioctl */
#define cdev_pf_init(c,n) { \
dev_init(c,n,open), dev_init(c,n,close), (dev_type_read((*))) enodev, \
@@ -586,6 +593,7 @@
cdev_decl(bpf);
+cdev_decl(ipl);
cdev_decl(pf);
cdev_decl(tun);

86
dist/ipf/OpenBSD-3/README.3_4 vendored Normal file
View File

@ -0,0 +1,86 @@
Installing IPFilter into OpenBSD 3.4 Kernel
===========================================
The installation of IPFilter should be as easy as following the steps
below. In cases where "i386" is mentioned, if you are working on a
different platform, substitute that name there and it should work equally
as well. The patches include enabling IPFilter for IPv4 filtering, IPv6
filtering and bridge filtering.
The commands given below are intended as guides rather than exact matches
on what needs to be typed. In many cases, paths to files or directories
may bear little resemblence to what is presented below.
You may encounter difficulties with step 7 if you have made changes to the
rc files which cause "patch" to not be able to work out how to apply the
changes correctly.
If the below steps are followed with no problems then it should be safe to
perform step 8 and reboot with the new kernel. Of course if you are not
using GENERIC then substitute GENERIC for your kernel name. If your kernel
config file includes the "GENERIC" one then you will not need to add explicit
options for IPFilter.
1. Extract your source tree into /usr/src, creating /usr/src/sys.
cd /usr/src
gunzip -c sys.tar.gz | tar xpf -
2. Unpack IPFilter and apply the patches to the kernel source
cd ~
gunzip -c ip_fil4.1.3.tar.gz | tar xpf -
cd /usr/src
patch < ~/ip_fil4.1.3/OpenBSD-3/3.4-sys-diffs
3. Add IPFilter to the source code tree:
cd ~/ip_fil4.1.3
BSD/kupgrade
If you want to build a new release with IPFilter, stop here and goto
the section below titled "Building a Release".
4. Build a new OpenBSD kernel
/bin/rm -rf /sys/arch/i386/compile/GENERIC
cd /sys/arch/i386/conf
config GENERIC
cd ../compile/GENERIC
make depend && make
cp bsd /bsd
5. Build and install IPFilter
cd ip_fil4.1.3
make openbsd
make install-bsd
OpenBSD-3/makedevs-3.4
6. Patch rc scripts in /etc
cd /etc
patch < ~/ip_fil4.1.3/OpenBSD-3/3.4-rc-diffs
7. Reboot
IPFilter device files
=====================
Patches to include making IPFilter devices can be found in the file
3.4-MAKEDEV-diffs. These diffs are generally only of interested if
you are going to be building a distribution for others and want the
correct MAKEDEV scripts to be built. You may also wish to use this
to patch /dev/MAKEDEV on your machine to be correct. Pre-fab'd MAKEDEV
scripts (or individual patches) for each architecture are not provided.
You will need to have extracted "./etc" from src.tar.gz to use these
patches.
Building a Release
==================
cd /usr/src
patch < ~/ip_fil4.1.3/OpenBSD-3/3.4-rc-diffs
patch < ~/ip_fil4.1.3/OpenBSD-3/3.4-MAKEDEV-diffs
cd ~/ip_fil4.1.3
./OpenBSD-3/fixdist-3.4

86
dist/ipf/OpenBSD-3/README.3_5 vendored Normal file
View File

@ -0,0 +1,86 @@
Installing IPFilter into OpenBSD 3.5 Kernel
===========================================
The installation of IPFilter should be as easy as following the steps
below. In cases where "i386" is mentioned, if you are working on a
different platform, substitute that name there and it should work equally
as well. The patches include enabling IPFilter for IPv4 filtering, IPv6
filtering and bridge filtering.
The commands given below are intended as guides rather than exact matches
on what needs to be typed. In many cases, paths to files or directories
may bear little resemblence to what is presented below.
You may encounter difficulties with step 7 if you have made changes to the
rc files which cause "patch" to not be able to work out how to apply the
changes correctly.
If the below steps are followed with no problems then it should be safe to
perform step 8 and reboot with the new kernel. Of course if you are not
using GENERIC then substitute GENERIC for your kernel name. If your kernel
config file includes the "GENERIC" one then you will not need to add explicit
options for IPFilter.
1. Extract your source tree into /usr/src, creating /usr/src/sys.
cd /usr/src
gunzip -c sys.tar.gz | tar xpf -
2. Unpack IPFilter and apply the patches to the kernel source
cd ~
gunzip -c ip_fil4next.tar.gz | tar xpf -
cd /usr/src
patch < ~/ip_fil4next/OpenBSD-3/3.5-sys-diffs
3. Add IPFilter to the source code tree:
cd ~/ip_fil4next
BSD/kupgrade
If you want to build a new release with IPFilter, stop here and goto
the section below titled "Building a Release".
4. Build a new OpenBSD kernel
/bin/rm -rf /sys/arch/i386/compile/GENERIC
cd /sys/arch/i386/conf
config GENERIC
cd ../compile/GENERIC
make depend && make
cp bsd /bsd
5. Build and install IPFilter
cd ip_fil4next
make openbsd
make install-bsd
OpenBSD-3/makedevs-3.5
6. Patch rc scripts in /etc
cd /etc
patch < ~/ip_fil4next/OpenBSD-3/3.5-rc-diffs
7. Reboot
IPFilter device files
=====================
Patches to include making IPFilter devices can be found in the file
3.5-MAKEDEV-diffs. These diffs are generally only of interested if
you are going to be building a distribution for others and want the
correct MAKEDEV scripts to be built. You may also wish to use this
to patch /dev/MAKEDEV on your machine to be correct. Pre-fab'd MAKEDEV
scripts (or individual patches) for each architecture are not provided.
You will need to have extracted "./etc" from src.tar.gz to use these
patches.
Building a Release
==================
cd /usr/src
patch < ~/ip_fil4next/OpenBSD-3/3.5-rc-diffs
patch < ~/ip_fil4next/OpenBSD-3/3.5-MAKEDEV-diffs
cd ~/ip_fil4next
./OpenBSD-3/fixdist-3.5

497
dist/ipf/OpenBSD-3/fixdist-3.4 vendored Normal file
View File

@ -0,0 +1,497 @@
.\" $NetBSD: fixdist-3.4,v 1.1.1.1 2004/07/23 05:34:24 martti Exp $
.\"
#!/bin/sh
#
# Install IPFilter into the source tree of OpenBSD 3.3
#
if [ $# -eq 1 ] ; then
if [ "$1" = "-d" ] ; then
debug=echo
fi
fi
copyfiles() {
while [ $# -gt 0 ] ; do
if [ X"$1" = X"\\" ] ; then
:
elif [ -f $IPFDIR/$1 ] ; then
$debug cp -p $IPFDIR/$1 .
elif [ -f $IPFDIR/man/$1 ] ; then
$debug cp -p $IPFDIR/man/$1 .
elif [ -f $IPFDIR/iplang/$1 ] ; then
$debug cp -p $IPFDIR/iplang/$1 .
elif [ -f $IPFDIR/ipsend/$1 ] ; then
$debug cp -p $IPFDIR/ipsend/$1 .
else
echo "Could not find $IPFDIR/$1"
fi
shift
done
}
prep() {
$debug mkdir $1
$debug cd $1
}
IPFDIR=`pwd`
SRC=/usr/src
#
# 3 Programs into /sbin: ipf, ipfstat, ipnat
#
cd $SRC/sbin
/bin/rm -rf ipf ipfstat ipnat
prep ipf
MFILES="ipf.8 ipf.4 ipf.5 ipl.4"
SFILES="ipf.c parse.c opt.c facpri.c common.c"
IFILES="ipf.h facpri.h"
if [ X$debug = X ] ; then
OFILE=Makefile
else
OFILE=/dev/tty
fi
cat > ${OFILE} << __EOF__
# $OpenBSD: Makefile,v 1.10 2001/01/17 05:00:57 fgsch Exp $
PROG= ipf
MAN= ${MFILES}
SRCS= ${SFILES}
CFLAGS+=-DUSE_INET6 -I\${.CURDIR}/../../sys/netinet
.include <bsd.prog.mk>
__EOF__
copyfiles $MFILES $SFILES $IFILES
echo "`pwd` done"
#
# Setup ipfstat(8)
#
prep ../ipfstat
MFILES=ipfstat.8
SFILES="fils.c parse.c opt.c kmem.c facpri.c common.c printstate.c"
IFILES=kmem.h
cat > ${OFILE} << __EOF__
# $OpenBSD: Makefile,v 1.8 2001/02/13 01:12:33 fgsch Exp $
PROG= ipfstat
MAN= ${MFILES}
SRCS= ${SFILES}
.PATH: \${.CURDIR}/../../sbin/ipf
CFLAGS+=-DUSE_INET6 -I\${.CURDIR}/../../sbin/ipf -DSTATETOP \\
-I\${.CURDIR}/../../sys/netinet
DPADD= \${LIBCURSES}
LDADD= -lcurses -lkvm
.include <bsd.prog.mk>
__EOF__
copyfiles $MFILES $SFILES $IFILES
echo "`pwd` done"
#
# Setup ipnat(8)
#
prep ../ipnat
MFILES="ipnat.8 ipnat.4 ipnat.5"
SFILES="ipnat.c kmem.c natparse.c common.c printnat.c"
IFILES=
cat > ${OFILE} << __EOF__
# $OpenBSD: Makefile,v 1.10 2001/01/17 05:01:01 fgsch Exp $
PROG= ipnat
MAN= ${MFILES}
SRCS= ${SFILES}
.PATH: \${.CURDIR}/../ipfstat \${.CURDIR}/../ipf
CFLAGS+=-DUSE_INET6 -I\${.CURDIR}/../../sbin/ipfstat -I\${.CURDIR}/../ipf \\
-I\${.CURDIR}/../../sys/netinet
LDADD= -lkvm
.include <bsd.prog.mk>
__EOF__
copyfiles $MFILES $SFILES
echo "`pwd` done"
#
# Now fix up the top level Makefile
#
cd $SRC/sbin
grep -q ipf Makefile
if [ $? -ne 0 ] ; then
cat <<__EOF__ | patch
*** Makefile.orig Sat Sep 7 07:15:55 2002
--- Makefile Wed Nov 13 12:33:36 2002
***************
*** 33,36 ****
--- 33,39 ----
# Man pages (and manpages to do)
SUBDIR+= fdisk pdisk ancontrol wicontrol wsconsctl
+ # IPFilter
+ SUBDIR+= ipf ipfstat ipnat
+
.include <bsd.subdir.mk>
__EOF__
fi
#
# 3 Programs into /usr/sbin: ipfs, ipfstat, ipmon
# Also, include ipsend suite of tools.
#
cd $SRC/usr.sbin
/bin/rm -rf ipfs ipftest ipmon ipsend
#
# Create directory for ipftest
#
prep ipftest
MFILES=ipftest.1
SFILES="ipt.c fil.c ipft_hx.c ipft_sn.c ipft_ef.c ipft_td.c ipft_pc.c \\
ipft_tx.c misc.c parse.c opt.c ip_frag.c ip_nat.c ip_state.c \\
ip_auth.c ip_fil.c ip_proxy.c facpri.c natparse.c common.c \\
printnat.c printstate.c ip_log.c"
IFILES="ipt.h pcap.h snoop.h kmem.h bpf.h"
cat > ${OFILE} << __EOF__
# $OpenBSD: Makefile,v 1.9 2001/01/17 06:01:21 fgsch Exp $
PROG= ipftest
MAN= ${MFILES}
SRCS= ${SFILES}
.PATH: \${.CURDIR}/../../sbin/ipf \${.CURDIR}/../../sbin/ipfstat \\
\${.CURDIR}/../../sys/netinet \${.CURDIR}/../../sbin/ipnat
CFLAGS+=-DUSE_INET6 -I\${.CURDIR}/../../sbin/ipf -DIPFILTER_LOG \\
-I\${.CURDIR}/../../sys/netinet -I\${.CURDIR}/../../sys -I\${.CURDIR}
.include <bsd.prog.mk>
__EOF__
copyfiles $MFILES $SFILES $IFILES
echo "`pwd` done"
#
# Create directory for ipfs
#
prep ../ipfs
MFILES=ipfs.8
SFILES=ipfs.c
IFILES=
cat > ${OFILE} << __EOF__
# \$OpenBSD: Makefile,v 1.1 2001/01/17 06:31:06 fgsch Exp \$
PROG= ipfs
MAN= ${MFILES}
SRCS= ${SFILES}
CFLAGS+=-DUSE_INET6 -I\${.CURDIR}/../../sbin/ipf \\
-I\${.CURDIR}/../../sys/netinet
.include <bsd.prog.mk>
__EOF__
copyfiles $MFILES $SFILES $IFILES
echo "`pwd` done"
#
#
#
prep ../ipmon
MFILES=ipmon.8
SFILES=ipmon.c
IFILES=
cat > ${OFILE} << __EOF__
# \$OpenBSD: Makefile,v 1.4 1998/09/15 10:01:38 pattonme Exp \$
PROG= ipmon
MAN= ${MFILES}
SRCS= ${SFILES}
CFLAGS+=-DUSE_INET6 -I\${.CURDIR}/../../sys/netinet
.include <bsd.prog.mk>
__EOF__
copyfiles $MFILES $SFILES $IFILES
echo "`pwd` done"
#
# Create top level directories for ipsend
#
prep ../ipsend
cat > ${OFILE} << __EOF__
# $OpenBSD: Makefile,v 1.4 1997/09/21 11:43:47 deraadt Exp $
SUBDIR= ipsend ipresend iptest
.include <bsd.subdir.mk>
__EOF__
echo "`pwd` done"
prep iplang
copyfiles iplang.h
#
# 1st ipsend program - ipsend itself
#
prep ../ipsend
MFILES="ipsend.1 ipsend.5"
SFILES="ipsend.c ip.c ipsopt.c sbpf.c sock.c 44arp.c iplang_y.y iplang_l.l"
IFILES="ipsend.h iplang.h"
cat > ${OFILE} << __EOF__
# $OpenBSD: Makefile,v 1.3 1998/01/26 19:46:23 weingart Exp $
PROG= ipsend
BINDIR= /usr/sbin
MAN= ${MFILES}
SRCS= ${SFILES}
CFLAGS+= -DDOSOCKET -I\${.CURDIR}/../common -I\${.CURDIR}/../../ipftest \\
-I\${.CURDIR}/../../../sbin/ipf -I\${.CURDIR}/../../../sys/netinet \\
-I\${.CURDIR}/.. -I\${.OBJDIR}
LDADD= -lfl
CLEANFILES+=y.tab.h
.PATH: \${.CURDIR}/../common
.include <bsd.prog.mk>
__EOF__
copyfiles $MFILES $SFILES $IFILES
echo "`pwd` done"
#
# 2nd ipsend program - ipresend
#
prep ../ipresend
MFILES=ipresend.1
SFILES="ipresend.c resend.c \\
ipft_ef.c ipft_hx.c ipft_pc.c ipft_sn.c ipft_td.c ipft_tx.c opt.c \\
sock.c 44arp.c sbpf.c ip.c"
IFILES="ipsend.h bpf.h"
cat > ${OFILE} << __EOF__
# \$OpenBSD: Makefile,v 1.4 1999/02/21 23:11:05 tholo Exp \$
PROG= ipresend
BINDIR= /usr/sbin
MAN= ${MFILES}
SRCS= ${SFILES}
CFLAGS+=-DDOSOCKET -I\${.CURDIR}/../common -I\${.CURDIR}/../../ipftest \\
-I\${.CURDIR}/../../../sbin/ipf \\
-I\${.CURDIR}/../../../sys/netinet -I\${.CURDIR}/..
.PATH: \${.CURDIR}/../common \${.CURDIR}/../../ipftest \\
\${.CURDIR}/../../../sbin/ipf
.include <bsd.prog.mk>
__EOF__
copyfiles $MFILES $SFILES $IFILES
echo "`pwd` done"
#
# 3rd ipsend program - iptest
#
prep ../iptest
MFILES=iptest.1
SFILES="iptest.c iptests.c ip.c sbpf.c sock.c 44arp.c"
IFILES="ipsend.h"
cat > ${OFILE} << __EOF__
# \$OpenBSD: Makefile,v 1.2 1998/01/26 04:17:08 dgregor Exp \$
PROG= iptest
BINDIR= /usr/sbin
MAN= ${MFILES}
SRCS= ${SFILES}
CFLAGS+=-DDOSOCKET -I\${.CURDIR}/../common -I\${.CURDIR}/../../ipftest \\
-I\${.CURDIR}/../../../sys/netinet \\
-I\${.CURDIR}/../../../sbin/ipf -I\${.CURDIR}/..
.PATH: \${.CURDIR}/../common
.include <bsd.prog.mk>
__EOF__
copyfiles $MFILES $SFILES $IFILES
echo "`pwd` done"
cd $SRC/usr.sbin
grep -q ipmon Makefile
if [ $? -ne 0 ] ; then
cat << __EOF__ | patch
*** Makefile.orig Fri Jun 21 16:22:20 2002
--- Makefile Wed Nov 13 12:33:43 2002
***************
*** 40,43 ****
--- 40,46 ----
SUBDIR+=ypbind yppoll ypset ypserv
.endif
+ # IPFilter
+ SUBDIR+=ipftest ipfs ipmon ipsend
+
.include <bsd.subdir.mk>
__EOF__
fi
echo "Patching base install set"
cd $SRC
cd distrib/sets/lists/base
grep -q ipfstat mi
if [ $? -ne 0 ] ; then
cat << __EOF__ | patch
*** mi.orig Mon Sep 30 04:28:45 2002
--- mi Wed Nov 13 12:33:44 2002
***************
*** 90,95 ****
--- 90,98 ----
./sbin/halt
./sbin/ifconfig
./sbin/init
+ ./sbin/ipf
+ ./sbin/ipfstat
+ ./sbin/ipnat
./sbin/ipsecadm
./sbin/isakmpd
./sbin/lmccontrol
***************
*** 1273,1278 ****
--- 1276,1287 ----
./usr/sbin/httpd
./usr/sbin/inetd
./usr/sbin/iostat
+ ./usr/sbin/ipfs
+ ./usr/sbin/ipftest
+ ./usr/sbin/ipmon
+ ./usr/sbin/ipresend
+ ./usr/sbin/ipsend
+ ./usr/sbin/iptest
./usr/sbin/kadmin
./usr/sbin/kdb_destroy
./usr/sbin/kdb_edit
__EOF__
fi
echo "Patching etc Makefile"
cd $SRC
cd etc
grep -q ipf.conf Makefile
if [ $? -ne 0 ] ; then
cat << __EOF__ | patch
*** Makefile.orig Sat Sep 7 07:30:22 2002
--- Makefile Wed Nov 13 12:38:44 2002
***************
*** 14,20 ****
BINGRP= wheel
BIN1= bootptab changelist ccd.conf csh.cshrc csh.login csh.logout \\
daily dhcpd.conf dhcpd.interfaces exports ftpusers \\
! ftpchroot gettytab group hosts hosts.lpd inetd.conf \\
ksh.kshrc locate.rc man.conf monthly motd mrouted.conf \\
myname netstart networks newsyslog.conf pf.conf \\
phones printcap protocols rbootd.conf rc rc.conf rc.local \\
--- 14,20 ----
BINGRP= wheel
BIN1= bootptab changelist ccd.conf csh.cshrc csh.login csh.logout \\
daily dhcpd.conf dhcpd.interfaces exports ftpusers \\
! ftpchroot gettytab group hosts hosts.lpd inetd.conf ipf.conf \\
ksh.kshrc locate.rc man.conf monthly motd mrouted.conf \\
myname netstart networks newsyslog.conf pf.conf \\
phones printcap protocols rbootd.conf rc rc.conf rc.local \\
__EOF__
fi
echo "Patching etc mi install set"
cd $SRC
cd distrib/sets/lists/etc
grep -q ipf.conf mi
if [ $? -ne 0 ] ; then
cat << __EOF__ | patch
*** mi.orig Sat Sep 28 20:23:13 2002
--- mi Wed Nov 13 12:33:44 2002
***************
*** 29,34 ****
--- 29,35 ----
./etc/hosts.equiv
./etc/hosts.lpd
./etc/inetd.conf
+ ./etc/ipf.conf
./etc/kerberosIV/README
./etc/kerberosIV/krb.conf
./etc/kerberosIV/krb.equiv
__EOF__
fi
echo "Patching man install set"
cd $SRC
cd distrib/sets/lists/man
grep -q ipfstat mi
if [ $? -ne 0 ] ; then
cat << __EOF__ | patch
*** mi.orig Thu Oct 3 09:49:02 2002
--- mi Wed Nov 13 12:33:45 2002
***************
*** 322,327 ****
--- 322,331 ----
./usr/share/man/cat1/intro.0
./usr/share/man/cat1/ipcrm.0
./usr/share/man/cat1/ipcs.0
+ ./usr/share/man/cat1/ipftest.0
+ ./usr/share/man/cat1/ipresend.0
+ ./usr/share/man/cat1/ipsend.0
+ ./usr/share/man/cat1/iptest.0
./usr/share/man/cat1/jobs.0
./usr/share/man/cat1/join.0
./usr/share/man/cat1/jot.0
***************
*** 1063,1068 ****
--- 1067,1075 ----
./usr/share/man/cat4/ip.0
./usr/share/man/cat4/ip6.0
./usr/share/man/cat4/ipcomp.0
+ ./usr/share/man/cat4/ipf.0
+ ./usr/share/man/cat4/ipl.0
+ ./usr/share/man/cat4/ipnat.0
./usr/share/man/cat4/ipsec.0
./usr/share/man/cat4/isa.0
./usr/share/man/cat4/isapnp.0
***************
*** 1434,1439 ****
--- 1441,1449 ----
./usr/share/man/cat5/info.0
./usr/share/man/cat5/inode.0
./usr/share/man/cat5/intro.0
+ ./usr/share/man/cat5/ipf.0
+ ./usr/share/man/cat5/ipnat.0
+ ./usr/share/man/cat5/ipsend.0
./usr/share/man/cat5/isakmpd.conf.0
./usr/share/man/cat5/isakmpd.policy.0
./usr/share/man/cat5/keynote.0
***************
*** 1681,1686 ****
--- 1691,1701 ----
./usr/share/man/cat8/intro.0
./usr/share/man/cat8/iopctl.0
./usr/share/man/cat8/iostat.0
+ ./usr/share/man/cat8/ipf.0
+ ./usr/share/man/cat8/ipfs.0
+ ./usr/share/man/cat8/ipfstat.0
+ ./usr/share/man/cat8/ipmon.0
+ ./usr/share/man/cat8/ipnat.0
./usr/share/man/cat8/ipsecadm.0
./usr/share/man/cat8/isakmpd.0
./usr/share/man/cat8/kadmin.0
__EOF__
fi
echo Creating etc/ipf.conf
cd $SRC
cd etc
if [ ! -f ipf.conf ] ; then
cat > ipf.conf << __EOF__
#
# See ipf(5) for syntax and examples.
#
# Pass all packets in and out (these are the implicit first two rules.)
# pass in all
# pass out all
__EOF__
fi
exit 0

497
dist/ipf/OpenBSD-3/fixdist-3.5 vendored Normal file
View File

@ -0,0 +1,497 @@
.\" $NetBSD: fixdist-3.5,v 1.1.1.1 2004/07/23 05:34:24 martti Exp $
.\"
#!/bin/sh
#
# Install IPFilter into the source tree of OpenBSD 3.3
#
if [ $# -eq 1 ] ; then
if [ "$1" = "-d" ] ; then
debug=echo
fi
fi
copyfiles() {
while [ $# -gt 0 ] ; do
if [ X"$1" = X"\\" ] ; then
:
elif [ -f $IPFDIR/$1 ] ; then
$debug cp -p $IPFDIR/$1 .
elif [ -f $IPFDIR/man/$1 ] ; then
$debug cp -p $IPFDIR/man/$1 .
elif [ -f $IPFDIR/iplang/$1 ] ; then
$debug cp -p $IPFDIR/iplang/$1 .
elif [ -f $IPFDIR/ipsend/$1 ] ; then
$debug cp -p $IPFDIR/ipsend/$1 .
else
echo "Could not find $IPFDIR/$1"
fi
shift
done
}
prep() {
$debug mkdir $1
$debug cd $1
}
IPFDIR=`pwd`
SRC=/usr/src
#
# 3 Programs into /sbin: ipf, ipfstat, ipnat
#
cd $SRC/sbin
/bin/rm -rf ipf ipfstat ipnat
prep ipf
MFILES="ipf.8 ipf.4 ipf.5 ipl.4"
SFILES="ipf.c parse.c opt.c facpri.c common.c"
IFILES="ipf.h facpri.h"
if [ X$debug = X ] ; then
OFILE=Makefile
else
OFILE=/dev/tty
fi
cat > ${OFILE} << __EOF__
# $OpenBSD: Makefile,v 1.10 2001/01/17 05:00:57 fgsch Exp $
PROG= ipf
MAN= ${MFILES}
SRCS= ${SFILES}
CFLAGS+=-DUSE_INET6 -I\${.CURDIR}/../../sys/netinet
.include <bsd.prog.mk>
__EOF__
copyfiles $MFILES $SFILES $IFILES
echo "`pwd` done"
#
# Setup ipfstat(8)
#
prep ../ipfstat
MFILES=ipfstat.8
SFILES="fils.c parse.c opt.c kmem.c facpri.c common.c printstate.c"
IFILES=kmem.h
cat > ${OFILE} << __EOF__
# $OpenBSD: Makefile,v 1.8 2001/02/13 01:12:33 fgsch Exp $
PROG= ipfstat
MAN= ${MFILES}
SRCS= ${SFILES}
.PATH: \${.CURDIR}/../../sbin/ipf
CFLAGS+=-DUSE_INET6 -I\${.CURDIR}/../../sbin/ipf -DSTATETOP \\
-I\${.CURDIR}/../../sys/netinet
DPADD= \${LIBCURSES}
LDADD= -lcurses -lkvm
.include <bsd.prog.mk>
__EOF__
copyfiles $MFILES $SFILES $IFILES
echo "`pwd` done"
#
# Setup ipnat(8)
#
prep ../ipnat
MFILES="ipnat.8 ipnat.4 ipnat.5"
SFILES="ipnat.c kmem.c natparse.c common.c printnat.c"
IFILES=
cat > ${OFILE} << __EOF__
# $OpenBSD: Makefile,v 1.10 2001/01/17 05:01:01 fgsch Exp $
PROG= ipnat
MAN= ${MFILES}
SRCS= ${SFILES}
.PATH: \${.CURDIR}/../ipfstat \${.CURDIR}/../ipf
CFLAGS+=-DUSE_INET6 -I\${.CURDIR}/../../sbin/ipfstat -I\${.CURDIR}/../ipf \\
-I\${.CURDIR}/../../sys/netinet
LDADD= -lkvm
.include <bsd.prog.mk>
__EOF__
copyfiles $MFILES $SFILES
echo "`pwd` done"
#
# Now fix up the top level Makefile
#
cd $SRC/sbin
grep -q ipf Makefile
if [ $? -ne 0 ] ; then
cat <<__EOF__ | patch
*** Makefile.orig Sat Sep 7 07:15:55 2002
--- Makefile Wed Nov 13 12:33:36 2002
***************
*** 33,36 ****
--- 33,39 ----
# Man pages (and manpages to do)
SUBDIR+= fdisk pdisk ancontrol wicontrol wsconsctl
+ # IPFilter
+ SUBDIR+= ipf ipfstat ipnat
+
.include <bsd.subdir.mk>
__EOF__
fi
#
# 3 Programs into /usr/sbin: ipfs, ipfstat, ipmon
# Also, include ipsend suite of tools.
#
cd $SRC/usr.sbin
/bin/rm -rf ipfs ipftest ipmon ipsend
#
# Create directory for ipftest
#
prep ipftest
MFILES=ipftest.1
SFILES="ipt.c fil.c ipft_hx.c ipft_sn.c ipft_ef.c ipft_td.c ipft_pc.c \\
ipft_tx.c misc.c parse.c opt.c ip_frag.c ip_nat.c ip_state.c \\
ip_auth.c ip_fil.c ip_proxy.c facpri.c natparse.c common.c \\
printnat.c printstate.c ip_log.c"
IFILES="ipt.h pcap.h snoop.h kmem.h bpf.h"
cat > ${OFILE} << __EOF__
# $OpenBSD: Makefile,v 1.9 2001/01/17 06:01:21 fgsch Exp $
PROG= ipftest
MAN= ${MFILES}
SRCS= ${SFILES}
.PATH: \${.CURDIR}/../../sbin/ipf \${.CURDIR}/../../sbin/ipfstat \\
\${.CURDIR}/../../sys/netinet \${.CURDIR}/../../sbin/ipnat
CFLAGS+=-DUSE_INET6 -I\${.CURDIR}/../../sbin/ipf -DIPFILTER_LOG \\
-I\${.CURDIR}/../../sys/netinet -I\${.CURDIR}/../../sys -I\${.CURDIR}
.include <bsd.prog.mk>
__EOF__
copyfiles $MFILES $SFILES $IFILES
echo "`pwd` done"
#
# Create directory for ipfs
#
prep ../ipfs
MFILES=ipfs.8
SFILES=ipfs.c
IFILES=
cat > ${OFILE} << __EOF__
# \$OpenBSD: Makefile,v 1.1 2001/01/17 06:31:06 fgsch Exp \$
PROG= ipfs
MAN= ${MFILES}
SRCS= ${SFILES}
CFLAGS+=-DUSE_INET6 -I\${.CURDIR}/../../sbin/ipf \\
-I\${.CURDIR}/../../sys/netinet
.include <bsd.prog.mk>
__EOF__
copyfiles $MFILES $SFILES $IFILES
echo "`pwd` done"
#
#
#
prep ../ipmon
MFILES=ipmon.8
SFILES=ipmon.c
IFILES=
cat > ${OFILE} << __EOF__
# \$OpenBSD: Makefile,v 1.4 1998/09/15 10:01:38 pattonme Exp \$
PROG= ipmon
MAN= ${MFILES}
SRCS= ${SFILES}
CFLAGS+=-DUSE_INET6 -I\${.CURDIR}/../../sys/netinet
.include <bsd.prog.mk>
__EOF__
copyfiles $MFILES $SFILES $IFILES
echo "`pwd` done"
#
# Create top level directories for ipsend
#
prep ../ipsend
cat > ${OFILE} << __EOF__
# $OpenBSD: Makefile,v 1.4 1997/09/21 11:43:47 deraadt Exp $
SUBDIR= ipsend ipresend iptest
.include <bsd.subdir.mk>
__EOF__
echo "`pwd` done"
prep iplang
copyfiles iplang.h
#
# 1st ipsend program - ipsend itself
#
prep ../ipsend
MFILES="ipsend.1 ipsend.5"
SFILES="ipsend.c ip.c ipsopt.c sbpf.c sock.c 44arp.c iplang_y.y iplang_l.l"
IFILES="ipsend.h iplang.h"
cat > ${OFILE} << __EOF__
# $OpenBSD: Makefile,v 1.3 1998/01/26 19:46:23 weingart Exp $
PROG= ipsend
BINDIR= /usr/sbin
MAN= ${MFILES}
SRCS= ${SFILES}
CFLAGS+= -DDOSOCKET -I\${.CURDIR}/../common -I\${.CURDIR}/../../ipftest \\
-I\${.CURDIR}/../../../sbin/ipf -I\${.CURDIR}/../../../sys/netinet \\
-I\${.CURDIR}/.. -I\${.OBJDIR}
LDADD= -lfl
CLEANFILES+=y.tab.h
.PATH: \${.CURDIR}/../common
.include <bsd.prog.mk>
__EOF__
copyfiles $MFILES $SFILES $IFILES
echo "`pwd` done"
#
# 2nd ipsend program - ipresend
#
prep ../ipresend
MFILES=ipresend.1
SFILES="ipresend.c resend.c \\
ipft_ef.c ipft_hx.c ipft_pc.c ipft_sn.c ipft_td.c ipft_tx.c opt.c \\
sock.c 44arp.c sbpf.c ip.c"
IFILES="ipsend.h bpf.h"
cat > ${OFILE} << __EOF__
# \$OpenBSD: Makefile,v 1.4 1999/02/21 23:11:05 tholo Exp \$
PROG= ipresend
BINDIR= /usr/sbin
MAN= ${MFILES}
SRCS= ${SFILES}
CFLAGS+=-DDOSOCKET -I\${.CURDIR}/../common -I\${.CURDIR}/../../ipftest \\
-I\${.CURDIR}/../../../sbin/ipf \\
-I\${.CURDIR}/../../../sys/netinet -I\${.CURDIR}/..
.PATH: \${.CURDIR}/../common \${.CURDIR}/../../ipftest \\
\${.CURDIR}/../../../sbin/ipf
.include <bsd.prog.mk>
__EOF__
copyfiles $MFILES $SFILES $IFILES
echo "`pwd` done"
#
# 3rd ipsend program - iptest
#
prep ../iptest
MFILES=iptest.1
SFILES="iptest.c iptests.c ip.c sbpf.c sock.c 44arp.c"
IFILES="ipsend.h"
cat > ${OFILE} << __EOF__
# \$OpenBSD: Makefile,v 1.2 1998/01/26 04:17:08 dgregor Exp \$
PROG= iptest
BINDIR= /usr/sbin
MAN= ${MFILES}
SRCS= ${SFILES}
CFLAGS+=-DDOSOCKET -I\${.CURDIR}/../common -I\${.CURDIR}/../../ipftest \\
-I\${.CURDIR}/../../../sys/netinet \\
-I\${.CURDIR}/../../../sbin/ipf -I\${.CURDIR}/..
.PATH: \${.CURDIR}/../common
.include <bsd.prog.mk>
__EOF__
copyfiles $MFILES $SFILES $IFILES
echo "`pwd` done"
cd $SRC/usr.sbin
grep -q ipmon Makefile
if [ $? -ne 0 ] ; then
cat << __EOF__ | patch
*** Makefile.orig Fri Jun 21 16:22:20 2002
--- Makefile Wed Nov 13 12:33:43 2002
***************
*** 40,43 ****
--- 40,46 ----
SUBDIR+=ypbind yppoll ypset ypserv
.endif
+ # IPFilter
+ SUBDIR+=ipftest ipfs ipmon ipsend
+
.include <bsd.subdir.mk>
__EOF__
fi
echo "Patching base install set"
cd $SRC
cd distrib/sets/lists/base
grep -q ipfstat mi
if [ $? -ne 0 ] ; then
cat << __EOF__ | patch
*** mi.orig Mon Sep 30 04:28:45 2002
--- mi Wed Nov 13 12:33:44 2002
***************
*** 90,95 ****
--- 90,98 ----
./sbin/halt
./sbin/ifconfig
./sbin/init
+ ./sbin/ipf
+ ./sbin/ipfstat
+ ./sbin/ipnat
./sbin/ipsecadm
./sbin/isakmpd
./sbin/lmccontrol
***************
*** 1273,1278 ****
--- 1276,1287 ----
./usr/sbin/httpd
./usr/sbin/inetd
./usr/sbin/iostat
+ ./usr/sbin/ipfs
+ ./usr/sbin/ipftest
+ ./usr/sbin/ipmon
+ ./usr/sbin/ipresend
+ ./usr/sbin/ipsend
+ ./usr/sbin/iptest
./usr/sbin/kadmin
./usr/sbin/kdb_destroy
./usr/sbin/kdb_edit
__EOF__
fi
echo "Patching etc Makefile"
cd $SRC
cd etc
grep -q ipf.conf Makefile
if [ $? -ne 0 ] ; then
cat << __EOF__ | patch
*** Makefile.orig Sat Sep 7 07:30:22 2002
--- Makefile Wed Nov 13 12:38:44 2002
***************
*** 14,20 ****
BINGRP= wheel
BIN1= bootptab changelist ccd.conf csh.cshrc csh.login csh.logout \\
daily dhcpd.conf dhcpd.interfaces exports ftpusers \\
! ftpchroot gettytab group hosts hosts.lpd inetd.conf \\
ksh.kshrc locate.rc man.conf monthly motd mrouted.conf \\
myname netstart networks newsyslog.conf pf.conf \\
phones printcap protocols rbootd.conf rc rc.conf rc.local \\
--- 14,20 ----
BINGRP= wheel
BIN1= bootptab changelist ccd.conf csh.cshrc csh.login csh.logout \\
daily dhcpd.conf dhcpd.interfaces exports ftpusers \\
! ftpchroot gettytab group hosts hosts.lpd inetd.conf ipf.conf \\
ksh.kshrc locate.rc man.conf monthly motd mrouted.conf \\
myname netstart networks newsyslog.conf pf.conf \\
phones printcap protocols rbootd.conf rc rc.conf rc.local \\
__EOF__
fi
echo "Patching etc mi install set"
cd $SRC
cd distrib/sets/lists/etc
grep -q ipf.conf mi
if [ $? -ne 0 ] ; then
cat << __EOF__ | patch
*** mi.orig Sat Sep 28 20:23:13 2002
--- mi Wed Nov 13 12:33:44 2002
***************
*** 29,34 ****
--- 29,35 ----
./etc/hosts.equiv
./etc/hosts.lpd
./etc/inetd.conf
+ ./etc/ipf.conf
./etc/kerberosIV/README
./etc/kerberosIV/krb.conf
./etc/kerberosIV/krb.equiv
__EOF__
fi
echo "Patching man install set"
cd $SRC
cd distrib/sets/lists/man
grep -q ipfstat mi
if [ $? -ne 0 ] ; then
cat << __EOF__ | patch
*** mi.orig Thu Oct 3 09:49:02 2002
--- mi Wed Nov 13 12:33:45 2002
***************
*** 322,327 ****
--- 322,331 ----
./usr/share/man/cat1/intro.0
./usr/share/man/cat1/ipcrm.0
./usr/share/man/cat1/ipcs.0
+ ./usr/share/man/cat1/ipftest.0
+ ./usr/share/man/cat1/ipresend.0
+ ./usr/share/man/cat1/ipsend.0
+ ./usr/share/man/cat1/iptest.0
./usr/share/man/cat1/jobs.0
./usr/share/man/cat1/join.0
./usr/share/man/cat1/jot.0
***************
*** 1063,1068 ****
--- 1067,1075 ----
./usr/share/man/cat4/ip.0
./usr/share/man/cat4/ip6.0
./usr/share/man/cat4/ipcomp.0
+ ./usr/share/man/cat4/ipf.0
+ ./usr/share/man/cat4/ipl.0
+ ./usr/share/man/cat4/ipnat.0
./usr/share/man/cat4/ipsec.0
./usr/share/man/cat4/isa.0
./usr/share/man/cat4/isapnp.0
***************
*** 1434,1439 ****
--- 1441,1449 ----
./usr/share/man/cat5/info.0
./usr/share/man/cat5/inode.0
./usr/share/man/cat5/intro.0
+ ./usr/share/man/cat5/ipf.0
+ ./usr/share/man/cat5/ipnat.0
+ ./usr/share/man/cat5/ipsend.0
./usr/share/man/cat5/isakmpd.conf.0
./usr/share/man/cat5/isakmpd.policy.0
./usr/share/man/cat5/keynote.0
***************
*** 1681,1686 ****
--- 1691,1701 ----
./usr/share/man/cat8/intro.0
./usr/share/man/cat8/iopctl.0
./usr/share/man/cat8/iostat.0
+ ./usr/share/man/cat8/ipf.0
+ ./usr/share/man/cat8/ipfs.0
+ ./usr/share/man/cat8/ipfstat.0
+ ./usr/share/man/cat8/ipmon.0
+ ./usr/share/man/cat8/ipnat.0
./usr/share/man/cat8/ipsecadm.0
./usr/share/man/cat8/isakmpd.0
./usr/share/man/cat8/kadmin.0
__EOF__
fi
echo Creating etc/ipf.conf
cd $SRC
cd etc
if [ ! -f ipf.conf ] ; then
cat > ipf.conf << __EOF__
#
# See ipf(5) for syntax and examples.
#
# Pass all packets in and out (these are the implicit first two rules.)
# pass in all
# pass out all
__EOF__
fi
exit 0

72
dist/ipf/OpenBSD-3/makedevs-3.4 vendored Normal file
View File

@ -0,0 +1,72 @@
.\" $NetBSD: makedevs-3.4,v 1.1.1.1 2004/07/23 05:34:24 martti Exp $
.\"
#!/bin/sh
platform=`uname -m`
case $platform in
alpha)
major=44
;;
amiga)
major=38
;;
hp300)
major=37
;;
hppa)
major=38
;;
i386)
major=81
;;
mac68k)
major=38
;;
macppc)
major=45
;;
mvme68k)
major=44
;;
mvme88k)
major=41
;;
mvmeppc)
major=44
;;
sparc)
major=60
;;
sparc64)
major=82
;;
sun3)
major=87
;;
vax)
major=47
;;
*)
echo "Unrecognised platform $platform"
exit 1
;;
esac
minor=0
echo
echo "Creating IPFilter device files in /dev."
echo
echo -n "Platform $platform Major Number $major: "
for i in ipl ipnat ipstate ipauth ipsync ipscan iplookup; do
/bin/rm -f /dev/$i
mknod /dev/$i c $major $minor
chown root.wheel /dev/$i
chmod 600 /dev/$i
echo -n "$i($minor) "
minor=`expr $minor + 1`
done
echo
echo Done.
echo
exit 0

72
dist/ipf/OpenBSD-3/makedevs-3.5 vendored Normal file
View File

@ -0,0 +1,72 @@
.\" $NetBSD: makedevs-3.5,v 1.1.1.1 2004/07/23 05:34:24 martti Exp $
.\"
#!/bin/sh
platform=`uname -m`
case $platform in
alpha)
major=44
;;
amiga)
major=38
;;
hp300)
major=37
;;
hppa)
major=39
;;
i386)
major=82
;;
mac68k)
major=38
;;
macppc)
major=45
;;
mvme68k)
major=45
;;
mvme88k)
major=45
;;
mvmeppc)
major=44
;;
sparc)
major=60
;;
sparc64)
major=82
;;
sun3)
major=87
;;
vax)
major=47
;;
*)
echo "Unrecognised platform $platform"
exit 1
;;
esac
minor=0
echo
echo "Creating IPFilter device files in /dev."
echo
echo -n "Platform $platform Major Number $major: "
for i in ipl ipnat ipstate ipauth ipsync ipscan iplookup; do
/bin/rm -f /dev/$i
mknod /dev/$i c $major $minor
chown root.wheel /dev/$i
chmod 600 /dev/$i
echo -n "$i($minor) "
minor=`expr $minor + 1`
done
echo
echo Done.
echo
exit 0

10
dist/ipf/ip_irc_pxy.c vendored
View File

@ -1,11 +1,11 @@
/* $NetBSD: ip_irc_pxy.c,v 1.1.1.1 2004/03/28 08:55:38 martti Exp $ */
/* $NetBSD: ip_irc_pxy.c,v 1.1.1.2 2004/07/23 05:33:55 martti Exp $ */
/*
* Copyright (C) 2000-2003 Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: ip_irc_pxy.c,v 2.39 2004/01/31 14:48:44 darrenr Exp
* Id: ip_irc_pxy.c,v 2.39.2.2 2004/05/24 14:01:48 darrenr Exp
*/
#define IPF_IRC_PROXY
@ -270,9 +270,13 @@ nat_t *nat;
ip = fin->fin_ip;
tcp = (tcphdr_t *)fin->fin_dp;
bzero(ctcpbuf, sizeof(ctcpbuf));
off = (char *)tcp - MTOD(m, char *) + (TCP_OFF(tcp) << 2);
off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff;
#ifdef __sgi
dlen = fin->fin_plen - off;
#else
dlen = MSGDSIZE(m) - off;
#endif
if (dlen <= 0)
return 0;
COPYDATA(m, off, MIN(sizeof(ctcpbuf), dlen), ctcpbuf);

35
dist/ipf/ip_lookup.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_lookup.c,v 1.1.1.1 2004/03/28 08:55:39 martti Exp $ */
/* $NetBSD: ip_lookup.c,v 1.1.1.2 2004/07/23 05:33:56 martti Exp $ */
/*
* Copyright (C) 2002-2003 by Darren Reed.
@ -63,7 +63,7 @@ struct file;
/* END OF INCLUDES */
#if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_lookup.c,v 2.35.2.3 2004/03/23 12:44:33 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_lookup.c,v 2.35.2.5 2004/07/06 11:16:25 darrenr Exp";
#endif
#ifdef IPFILTER_LOOKUP
@ -214,9 +214,8 @@ caddr_t data;
ip_pool_t *p;
int err;
err = COPYIN(data, &op, sizeof(op));
if (err != 0)
return EFAULT;
err = 0;
BCOPYIN(data, &op, sizeof(op));
op.iplo_name[sizeof(op.iplo_name) - 1] = '\0';
switch (op.iplo_type)
@ -285,9 +284,9 @@ caddr_t data;
ip_pool_t *p;
int err;
err = COPYIN(data, &op, sizeof(op));
if (err != 0)
return EFAULT;
err = 0;
BCOPYIN(data, &op, sizeof(op));
op.iplo_name[sizeof(op.iplo_name) - 1] = '\0';
switch (op.iplo_type)
@ -346,9 +345,9 @@ caddr_t data;
iplookupop_t op;
int err;
err = COPYIN(data, &op, sizeof(op));
if (err != 0)
return EFAULT;
err = 0;
BCOPYIN(data, &op, sizeof(op));
op.iplo_name[sizeof(op.iplo_name) - 1] = '\0';
switch (op.iplo_type)
@ -389,9 +388,7 @@ caddr_t data;
iplookupop_t op;
int err;
err = COPYIN(data, &op, sizeof(op));
if (err != 0)
return EFAULT;
BCOPYIN(data, &op, sizeof(op));
op.iplo_name[sizeof(op.iplo_name) - 1] = '\0';
if (op.iplo_arg & IPLT_ANON)
@ -432,9 +429,8 @@ caddr_t data;
iplookupop_t op;
int err;
err = COPYIN(data, &op, sizeof(op));
if (err != 0)
return EFAULT;
err = 0;
BCOPYIN(data, &op, sizeof(op));
switch (op.iplo_type)
{
@ -468,9 +464,8 @@ caddr_t data;
int err, unit, num, type;
iplookupflush_t flush;
err = COPYIN(data, &flush, sizeof(flush));
if (err != 0)
return EFAULT;
err = 0;
BCOPYIN(data, &flush, sizeof(flush));
flush.iplf_name[sizeof(flush.iplf_name) - 1] = '\0';

41
dist/ipf/ip_pool.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_pool.c,v 1.1.1.1 2004/03/28 08:55:42 martti Exp $ */
/* $NetBSD: ip_pool.c,v 1.1.1.2 2004/07/23 05:34:00 martti Exp $ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -69,8 +69,9 @@ struct file;
#include "netinet/ip_fil.h"
#include "netinet/ip_pool.h"
#if defined(_KERNEL) && !defined(__osf__) && !defined(__hpux) && \
!(defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#if defined(IPFILTER_LOOKUP) && defined(_KERNEL) && \
((BSD >= 198911) && !defined(__osf__) && \
!defined(__hpux) && !defined(__sgi))
static int rn_freenode __P((struct radix_node *, void *));
#endif
@ -78,11 +79,18 @@ static int rn_freenode __P((struct radix_node *, void *));
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.5 2004/03/23 12:44:33 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.9 2004/06/13 23:45:18 darrenr Exp";
#endif
#ifdef IPFILTER_LOOKUP
# ifndef RADIX_NODE_HEAD_LOCK
# define RADIX_NODE_HEAD_LOCK(x) ;
# endif
# ifndef RADIX_NODE_HEAD_UNLOCK
# define RADIX_NODE_HEAD_UNLOCK(x) ;
# endif
ip_pool_stat_t ipoolstat;
ipfrwlock_t ip_poolrw;
@ -333,9 +341,9 @@ char *name;
/* ------------------------------------------------------------------------ */
/* Function: ip_pool_findeq */
/* Returns: int - 0 = success, else error */
/* Parameters: ipo(I) - pointer to the pool getting the new node. */
/* inaddr(I) - pointer to address information to delete */
/* inmask(I) - */
/* Parameters: ipo(I) - pointer to the pool getting the new node. */
/* addr(I) - pointer to address information to delete */
/* mask(I) - */
/* */
/* Searches for an exact match of an entry in the pool. */
/* ------------------------------------------------------------------------ */
@ -344,8 +352,15 @@ ip_pool_t *ipo;
addrfamily_t *addr, *mask;
{
struct radix_node *n;
#ifdef USE_SPL
int s;
SPL_NET(s);
#endif
RADIX_NODE_HEAD_LOCK(ipo->ipo_head);
n = ipo->ipo_head->rnh_lookup(addr, mask, ipo->ipo_head);
RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head);
SPL_X(s);
return (ip_pool_node_t *)n;
}
@ -394,9 +409,11 @@ void *dptr;
READ_ENTER(&ip_poolrw);
RADIX_NODE_HEAD_LOCK(ipo->ipo_head);
rn = ipo->ipo_head->rnh_matchaddr(&v, ipo->ipo_head);
RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head);
if (rn != NULL) {
if ((rn != NULL) && ((rn->rn_flags & RNF_ROOT) == 0)) {
m = (ip_pool_node_t *)rn;
ipo->ipo_hits++;
m->ipn_hits++;
@ -444,8 +461,10 @@ int info;
bcopy(mask, &x->ipn_mask.adf_addr, sizeof(*mask));
x->ipn_mask.adf_len = sizeof(x->ipn_mask);
RADIX_NODE_HEAD_LOCK(ipo->ipo_head);
rn = ipo->ipo_head->rnh_addaddr(&x->ipn_addr, &x->ipn_mask,
ipo->ipo_head, x->ipn_nodes);
RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head);
#ifdef DEBUG_POOL
printf("Added %p at %p\n", x, rn);
#endif
@ -575,8 +594,10 @@ ip_pool_node_t *ipe;
if (n == NULL)
return ENOENT;
RADIX_NODE_HEAD_LOCK(ipo->ipo_head);
ipo->ipo_head->rnh_deladdr(&n->ipn_addr, &n->ipn_mask,
ipo->ipo_head);
RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head);
KFREE(n);
ipoolstat.ipls_nodes--;
@ -675,6 +696,7 @@ ip_pool_t *ipo;
{
ip_pool_node_t *n;
RADIX_NODE_HEAD_LOCK(ipo->ipo_head);
while ((n = ipo->ipo_list) != NULL) {
ipo->ipo_head->rnh_deladdr(&n->ipn_addr, &n->ipn_mask,
ipo->ipo_head);
@ -687,6 +709,7 @@ ip_pool_t *ipo;
ipoolstat.ipls_nodes--;
}
RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head);
ipo->ipo_list = NULL;
if (ipo->ipo_next != NULL)
@ -741,6 +764,7 @@ rn_freehead(rnh)
struct radix_node_head *rnh;
{
RADIX_NODE_HEAD_LOCK(rnh);
(*rnh->rnh_walktree)(rnh, rn_freenode, rnh);
rnh->rnh_addaddr = NULL;
@ -748,6 +772,7 @@ rn_freehead(rnh)
rnh->rnh_matchaddr = NULL;
rnh->rnh_lookup = NULL;
rnh->rnh_walktree = NULL;
RADIX_NODE_HEAD_UNLOCK(rnh);
Free(rnh);
}

16
dist/ipf/ip_pptp_pxy.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_pptp_pxy.c,v 1.1.1.1 2004/03/28 08:55:42 martti Exp $ */
/* $NetBSD: ip_pptp_pxy.c,v 1.1.1.2 2004/07/23 05:34:00 martti Exp $ */
/*
* Copyright (C) 2002-2003 by Darren Reed
@ -6,7 +6,7 @@
* Simple PPTP transparent proxy for in-kernel use. For use with the NAT
* code.
*
* Id: ip_pptp_pxy.c,v 2.10.2.3 2004/03/14 13:11:37 darrenr Exp
* Id: ip_pptp_pxy.c,v 2.10.2.5 2004/06/07 14:20:05 darrenr Exp
*
*/
#define IPF_PPTP_PROXY
@ -97,7 +97,7 @@ nat_t *nat;
ipn->in_apr = NULL;
ipn->in_use = 1;
ipn->in_hits = 1;
ipn->in_nip = nat->nat_outip.s_addr;
ipn->in_nip = ntohl(nat->nat_outip.s_addr);
ipn->in_ippip = 1;
ipn->in_inip = nat->nat_inip.s_addr;
ipn->in_inmsk = 0xffffffff;
@ -220,15 +220,9 @@ ap_session_t *aps;
if (pptp != NULL) {
/*
* Don't delete it from here, just schedule it to be
* deleted ASAP.
* Don't bother changing any of the NAT structure details,
* *_del() is on a callback from aps_free(), from nat_delete()
*/
if (pptp->pptp_nat != NULL) {
pptp->pptp_nat->nat_age = fr_ticks + 1;
pptp->pptp_nat->nat_ptr = NULL;
pptp->pptp_nat->nat_me = NULL;
fr_queuefront(&pptp->pptp_nat->nat_tqe);
}
READ_ENTER(&ipf_state);
if (pptp->pptp_state != NULL) {

10
dist/ipf/ip_rpcb_pxy.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_rpcb_pxy.c,v 1.1.1.1 2004/03/28 08:55:43 martti Exp $ */
/* $NetBSD: ip_rpcb_pxy.c,v 1.1.1.2 2004/07/23 05:34:01 martti Exp $ */
/*
* Copyright (C) 2002-2003 by Ryan Beasley <ryanb@goddamnbastard.org>
@ -39,7 +39,7 @@
* o The enclosed hack of STREAMS support is pretty sick and most likely
* broken.
*
* Id: ip_rpcb_pxy.c,v 2.25 2004/01/31 14:48:46 darrenr Exp
* Id: ip_rpcb_pxy.c,v 2.25.2.1 2004/05/04 03:47:49 darrenr Exp
*/
#define IPF_RPCB_PROXY
@ -222,7 +222,8 @@ ippr_rpcb_in(fin, aps, nat)
rs = (rpcb_session_t *)aps->aps_data;
m = fin->fin_m;
off = (char *)fin->fin_dp - MTOD(m, char *) + sizeof(udphdr_t);
off = (char *)fin->fin_dp - (char *)fin->fin_ip;
off += sizeof(udphdr_t) + fin->fin_ipoff;
dlen = fin->fin_dlen - sizeof(udphdr_t);
/* Disallow packets outside legal range for supported requests. */
@ -293,7 +294,8 @@ ippr_rpcb_out(fin, aps, nat)
rs = (rpcb_session_t *)aps->aps_data;
m = fin->fin_m;
off = (char *)fin->fin_dp - MTOD(m, char *) + sizeof(udphdr_t);
off = (char *)fin->fin_dp - (char *)fin->fin_ip;
off += sizeof(udphdr_t) + fin->fin_ipoff;
dlen = fin->fin_dlen - sizeof(udphdr_t);
diff = 0;

10
dist/ipf/lib/getportproto.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: getportproto.c,v 1.1.1.1 2004/03/28 08:56:18 martti Exp $ */
/* $NetBSD: getportproto.c,v 1.1.1.2 2004/07/23 05:34:34 martti Exp $ */
#include <ctype.h>
#include "ipf.h"
@ -14,10 +14,8 @@ int proto;
return htons(atoi(name) & 65535);
p = getprotobynumber(proto);
if (p != NULL) {
s = getservbyname(name, p->p_name);
if (s != NULL)
return s->s_port;
}
s = getservbyname(name, p ? p->p_name : NULL);
if (s != NULL)
return s->s_port;
return 0;
}

17
dist/ipf/lib/inet_addr.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: inet_addr.c,v 1.1.1.1 2004/03/28 08:56:18 martti Exp $ */
/* $NetBSD: inet_addr.c,v 1.1.1.2 2004/07/23 05:34:35 martti Exp $ */
/*
* ++Copyright++ 1983, 1990, 1993
@ -57,7 +57,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93";
static const char rcsid[] = "@(#)Id: inet_addr.c,v 1.8.2.1 2004/03/23 15:15:44 darrenr Exp";
static const char rcsid[] = "@(#)Id: inet_addr.c,v 1.8.2.2 2004/04/16 23:33:51 darrenr Exp";
#endif /* LIBC_SCCS and not lint */
#include <sys/param.h>
@ -183,18 +183,9 @@ inet_aton(cp, addr)
* Ascii internet address interpretation routine.
* The value returned is in network order.
*/
#if !defined(__hpux)
# if (defined(SOLARIS2) && (SOLARIS2 > 5)) || \
defined(__osf__) || (defined(IRIX) && (IRIX >= 60500)) || \
(defined(__FreeBSD__) && (__FreeBSD__ >= 4)) || \
defined(__OpenBSD__) || defined(linux) || \
(defined(__NetBSD_Version) && (__NetBSD_Version >= 106370000))
in_addr_t
# else
u_long
# endif
#if 0
inet_addr(cp)
register const char *cp;
const char *cp;
{
struct in_addr val;

29
dist/ipf/lib/printactivenat.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: printactivenat.c,v 1.1.1.1 2004/03/28 08:56:19 martti Exp $ */
/* $NetBSD: printactivenat.c,v 1.1.1.2 2004/07/23 05:34:36 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -12,7 +12,7 @@
#if !defined(lint)
static const char rcsid[] = "@(#)Id: printactivenat.c,v 1.3 2004/01/17 17:31:20 darrenr Exp";
static const char rcsid[] = "@(#)Id: printactivenat.c,v 1.3.2.4 2004/05/11 16:07:32 darrenr Exp";
#endif
@ -59,12 +59,27 @@ int opts;
printf("bytes %lu/%lu pkts %lu/%lu", nat->nat_bytes[0],
nat->nat_bytes[1], nat->nat_pkts[0], nat->nat_pkts[1]);
#endif
#if SOLARIS
printf(" %lx", nat->nat_ipsumd);
#endif
printf(" ipsumd %x", nat->nat_ipsumd);
}
if (opts & OPT_DEBUG) {
printf("\n\tnat_next %p _pnext %p _hm %p\n",
nat->nat_next, nat->nat_pnext, nat->nat_hm);
printf("\t_hnext %p/%p _phnext %p/%p\n",
nat->nat_hnext[0], nat->nat_hnext[1],
nat->nat_phnext[0], nat->nat_phnext[1]);
printf("\t_data %p _me %p _state %p _aps %p\n",
nat->nat_data, nat->nat_me, nat->nat_state, nat->nat_aps);
printf("\tfr %p ptr %p ifps %p/%p sync %p\n",
nat->nat_fr, nat->nat_ptr, nat->nat_ifps[0],
nat->nat_ifps[1], nat->nat_sync);
printf("\ttqe:pnext %p next %p ifq %p parent %p/%p\n",
nat->nat_tqe.tqe_pnext, nat->nat_tqe.tqe_next,
nat->nat_tqe.tqe_ifq, nat->nat_tqe.tqe_parent, nat);
printf("\ttqe:die %ld touched %ld flags %x state %d/%d\n",
nat->nat_tqe.tqe_die, nat->nat_tqe.tqe_touched,
nat->nat_tqe.tqe_flags, nat->nat_tqe.tqe_state[0],
nat->nat_tqe.tqe_state[1]);
}
putchar('\n');
if (nat->nat_aps)
printaps(nat->nat_aps, opts);
}

98
dist/ipf/lib/printfr.c vendored
View File

@ -1,15 +1,69 @@
/* $NetBSD: printfr.c,v 1.1.1.1 2004/03/28 08:56:20 martti Exp $ */
/* $NetBSD: printfr.c,v 1.1.1.2 2004/07/23 05:34:36 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: printfr.c,v 1.43.2.1 2004/03/06 14:33:29 darrenr Exp
* Id: printfr.c,v 1.43.2.4 2004/04/20 11:51:33 darrenr Exp
*/
#include "ipf.h"
static void printaddr(int, int, char *, u_32_t *, u_32_t *);
static void printaddr(v, type, ifname, addr, mask)
int v, type;
char *ifname;
u_32_t *addr, *mask;
{
char *suffix;
switch (type)
{
case FRI_BROADCAST :
suffix = "/bcast";
break;
case FRI_DYNAMIC :
printf("%s", ifname);
printmask(mask);
suffix = NULL;
break;
case FRI_NETWORK :
suffix = "/net";
break;
case FRI_NETMASKED :
suffix = "/netmasked";
break;
case FRI_PEERADDR :
suffix = "/peer";
break;
case FRI_LOOKUP :
suffix = NULL;
printlookup((i6addr_t *)addr, (i6addr_t *)mask);
break;
case FRI_NORMAL :
printhostmask(v, addr, mask);
suffix = NULL;
break;
default :
printf("<%d>", type);
printmask(mask);
suffix = NULL;
break;
}
if (suffix != NULL) {
printf("%s/%s", ifname, suffix);
}
}
void printlookup(addr, mask)
i6addr_t *addr, *mask;
@ -163,44 +217,14 @@ ioctlfunc_t iocfunc;
printf("all");
} else if (type == FR_T_IPF) {
printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : "");
if (fp->fr_satype != FRI_NORMAL) {
if (fp->fr_satype == FRI_BROADCAST)
printf("%s/bcast", fp->fr_ifname);
else if (fp->fr_satype == FRI_NETWORK)
printf("%s/net", fp->fr_ifname);
else if (fp->fr_satype == FRI_NETMASKED)
printf("%s/netmasked", fp->fr_ifname);
else if (fp->fr_satype == FRI_PEERADDR)
printf("%s/peer", fp->fr_ifname);
else if (fp->fr_satype == FRI_LOOKUP)
printlookup(&fp->fr_ip.fi_src,
&fp->fr_mip.fi_src);
else
printmask((u_32_t *)&fp->fr_smsk.s_addr);
} else
printhostmask(fp->fr_v, (u_32_t *)&fp->fr_src.s_addr,
(u_32_t *)&fp->fr_smsk.s_addr);
printaddr(fp->fr_v, fp->fr_satype, fp->fr_ifname,
&fp->fr_src.s_addr, &fp->fr_smsk.s_addr);
if (fp->fr_scmp)
printportcmp(pr, &fp->fr_tuc.ftu_src);
printf(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : "");
if (fp->fr_datype != FRI_NORMAL) {
if (fp->fr_datype == FRI_BROADCAST)
printf("%s/bcast", fp->fr_ifname);
else if (fp->fr_datype == FRI_NETWORK)
printf("%s/net", fp->fr_ifname);
else if (fp->fr_datype == FRI_NETMASKED)
printf("%s/netmasked", fp->fr_ifname);
else if (fp->fr_datype == FRI_PEERADDR)
printf("%s/peer", fp->fr_ifname);
else if (fp->fr_datype == FRI_LOOKUP)
printlookup(&fp->fr_ip.fi_dst,
&fp->fr_mip.fi_dst);
else
printmask((u_32_t *)&fp->fr_dmsk.s_addr);
} else
printhostmask(fp->fr_v, (u_32_t *)&fp->fr_dst.s_addr,
(u_32_t *)&fp->fr_dmsk.s_addr);
printaddr(fp->fr_v, fp->fr_datype, fp->fr_ifname,
&fp->fr_dst.s_addr, &fp->fr_dmsk.s_addr);
if (fp->fr_dcmp)
printportcmp(pr, &fp->fr_tuc.ftu_dst);
@ -342,7 +366,7 @@ ioctlfunc_t iocfunc;
if (fp->fr_flags & FR_KEEPSTATE) {
printf(" keep state");
if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN)) ||
if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN|FR_NOICMPERR)) ||
(fp->fr_statemax != 0) || (fp->fr_age[0] != 0)) {
char *comma = "";
printf(" (");

17
dist/ipf/lib/printnat.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: printnat.c,v 1.1.1.1 2004/03/28 08:56:20 martti Exp $ */
/* $NetBSD: printnat.c,v 1.1.1.2 2004/07/23 05:34:37 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -13,7 +13,7 @@
#if !defined(lint)
static const char rcsid[] = "@(#)Id: printnat.c,v 1.22.2.1 2004/03/06 14:33:30 darrenr Exp";
static const char rcsid[] = "@(#)Id: printnat.c,v 1.22.2.4 2004/05/11 01:41:16 darrenr Exp";
#endif
@ -99,7 +99,10 @@ int opts;
printf(" -> %s", inet_ntoa(np->in_in[0].in4));
if (np->in_flags & IPN_SPLIT)
printf(",%s", inet_ntoa(np->in_in[1].in4));
printf(" port %d", ntohs(np->in_pnext));
if ((np->in_flags & IPN_FIXEDDPORT) != 0)
printf(" port = %d", ntohs(np->in_pnext));
else
printf(" port %d", ntohs(np->in_pnext));
if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
printf(" tcp/udp");
else if ((np->in_flags & IPN_TCP) == IPN_TCP)
@ -178,13 +181,19 @@ int opts;
if (opts & OPT_DEBUG)
printf("\n\tip modulous %d", np->in_pmax);
} else if (np->in_pmin || np->in_pmax) {
printf(" portmap");
if (np->in_flags & IPN_ICMPQUERY) {
printf(" icmpidmap");
} else {
printf(" portmap");
}
if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
printf(" tcp/udp");
else if (np->in_flags & IPN_TCP)
printf(" tcp");
else if (np->in_flags & IPN_UDP)
printf(" udp");
else if (np->in_flags & IPN_ICMPQUERY)
printf(" icmp");
if (np->in_flags & IPN_AUTOPORTMAP) {
printf(" auto");
if (opts & OPT_DEBUG)

4
dist/ipf/lib/var.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: var.c,v 1.1.1.1 2004/03/28 08:56:21 martti Exp $ */
/* $NetBSD: var.c,v 1.1.1.2 2004/07/23 05:34:38 martti Exp $ */
#include <ctype.h>
@ -48,7 +48,7 @@ int line;
}
} else if (isalpha(*s)) {
for (t = s + 1; *t != '\0'; t++)
if (!isalpha(*t) && !isdigit(*t))
if (!isalpha(*t) && !isdigit(*t) && (*t != '_'))
break;
} else {
fprintf(stderr, "%d: variables cannot start with '%c'\n",

4
dist/ipf/man/ippool.5 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ippool.5,v 1.1.1.1 2004/03/28 08:56:23 martti Exp $
.\" $NetBSD: ippool.5,v 1.1.1.2 2004/07/23 05:34:39 martti Exp $
.\"
.TH IPPOOL 5
.SH NAME
@ -116,7 +116,7 @@ in 2.2.0.0/16, except for those in 2.2.2.0/24.
.PP
.nf
table role = ipf type = tree number = 100
{ 1.1.1.1/32, 2.2.0.0/16, !2.2.2.0/24 };
{ 1.1.1.1/32; 2.2.0.0/16; !2.2.2.0/24 };
.fi
.TP
2

4
dist/ipf/man/ippool.8 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ippool.8,v 1.1.1.1 2004/03/28 08:56:23 martti Exp $
.\" $NetBSD: ippool.8,v 1.1.1.2 2004/07/23 05:34:40 martti Exp $
.\"
.TH IPPOOL 8
.SH NAME
@ -109,7 +109,7 @@ type pools.
.TP
.B -t <type>
Sets the type of pool being defined. Myst be one of
.B pool,
.B tree,
.B hash,
.B group-map.
.TP

8
dist/ipf/mlfk_ipl.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: mlfk_ipl.c,v 1.1.1.5 2004/03/28 08:55:47 martti Exp $ */
/* $NetBSD: mlfk_ipl.c,v 1.1.1.6 2004/07/23 05:34:04 martti Exp $ */
/*
* Copyright (C) 2000 by Darren Reed.
@ -123,6 +123,7 @@ static struct cdevsw ipl_cdevsw = {
static char *ipf_devfiles[] = { IPL_NAME, IPNAT_NAME, IPSTATE_NAME, IPAUTH_NAME,
IPSCAN_NAME, IPSYNC_NAME, IPLOOKUP_NAME, NULL };
static int
ipfilter_modevent(module_t mod, int type, void *unused)
{
@ -223,13 +224,16 @@ ipf_modunload()
static moduledata_t ipfiltermod = {
IPL_VERSION,
"ipfilter",
ipfilter_modevent,
0
};
DECLARE_MODULE(ipfilter, ipfiltermod, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY);
#ifdef MODULE_VERSION
MODULE_VERSION(ipfilter, 1);
#endif
#ifdef SYSCTL_IPF

12
dist/ipf/mlfk_rule.c vendored
View File

@ -1,11 +1,11 @@
/* $NetBSD: mlfk_rule.c,v 1.1.1.1 2004/03/28 08:55:47 martti Exp $ */
/* $NetBSD: mlfk_rule.c,v 1.1.1.2 2004/07/23 05:34:04 martti Exp $ */
/*
* Copyright (C) 2000 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: mlfk_rule.c,v 2.4 2001/06/09 17:09:22 darrenr Exp
* Id: mlfk_rule.c,v 2.4.4.2 2004/04/16 23:32:08 darrenr Exp
*/
@ -56,8 +56,14 @@ ipfrule_modevent(module_t mod, int type, void *unused)
}
static moduledata_t ipfrulemod = {
IPL_VERSION,
"ipfrule",
ipfrule_modevent,
0
};
DECLARE_MODULE(ipfrule, ipfrulemod, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY);
#ifdef MODULE_DEPEND
MODULE_DEPEND(ipfrule, ipfilter, 1, 1, 1);
#endif
#ifdef MODULE_VERSION
MODULE_VERSION(ipfrule, 1);
#endif

25
dist/ipf/rules/ipmon.conf vendored
View File

@ -2,22 +2,23 @@
#
#
#
action { tag = 10000, execute = "/usr/bin/mail -s 'tag 10000' root" };
action { tag = 2000, every 10 seconds,
execute = "echo 'XXXXXXXX tag 2000 packet XXXXXXXX'" };
match { logtag = 10000 }
do { execute "/usr/bin/mail -s 'logtag 10000' root" };
match { logtag = 2000, every 10 seconds }
do { execute "echo 'XXXXXXXX tag 2000 packet XXXXXXXX'" };
#
action { protocol = udp, result = block,
execute = "/usr/bin/mail -s 'blocked udp' root"
match { protocol = udp, result = block }
do { execute "/usr/bin/mail -s 'blocked udp' root"
};
#
action {
srcip = 10.1.0.0/16, dstip = 192.168.1.0/24,
execute = "/usr/bin/mail -s 'from 10.1 to 192.168.1' root"
match {
srcip = 10.1.0.0/16, dstip = 192.168.1.0/24 }
do { execute "/usr/bin/mail -s 'from 10.1 to 192.168.1' root"
};
#
action {
rule = 12, tag = 101, direction = in, result = block,
protocol = udp, srcip = 10.1.0.0/16, dstip = 192.168.1.0/24,
execute = "run shell command"
match {
rule = 12, logtag = 101, direction = in, result = block,
protocol = udp, srcip = 10.1.0.0/16, dstip = 192.168.1.0/24 }
do { execute "run shell command"
};
#

14
dist/ipf/samples/relay.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: relay.c,v 1.1.1.1 2004/03/28 08:56:26 martti Exp $ */
/* $NetBSD: relay.c,v 1.1.1.2 2004/07/23 05:34:43 martti Exp $ */
/*
* Sample program to be used as a transparent proxy.
@ -21,6 +21,7 @@
#include "ip_compat.h"
#include "ip_fil.h"
#include "ip_nat.h"
#include "ipl.h"
#define RELAY_BUFSZ 8192
@ -106,12 +107,13 @@ int argc;
char *argv[];
{
struct sockaddr_in sin;
ipfobj_t obj;
natlookup_t nl;
natlookup_t *nlp = &nl;
int fd, sl = sizeof(sl), se;
openlog(argv[0], LOG_PID|LOG_NDELAY, LOG_DAEMON);
if ((fd = open(IPL_NAT, O_RDONLY)) == -1) {
if ((fd = open(IPNAT_NAME, O_RDONLY)) == -1) {
se = errno;
perror("open");
errno = se;
@ -119,6 +121,12 @@ char *argv[];
exit(-1);
}
bzero(&obj, sizeof(obj));
obj.ipfo_rev = IPFILTER_VERSION;
obj.ipfo_size = sizeof(nl);
obj.ipfo_ptr = &nl;
obj.ipfo_type = IPFOBJ_NATLOOKUP;
bzero(&nl, sizeof(nl));
nl.nl_flags = IPN_TCP;
@ -150,7 +158,7 @@ char *argv[];
nl.nl_outport = sin.sin_port;
}
if (ioctl(fd, SIOCGNATL, &nlp) == -1) {
if (ioctl(fd, SIOCGNATL, &obj) == -1) {
se = errno;
perror("ioctl");
errno = se;

30
dist/ipf/test/README.TXT vendored Normal file
View File

@ -0,0 +1,30 @@
The contents of this directory sub tree is dedicated to regression testing
of IPFilter.
The tests are broken down into these groups:
f - filter rule tests
i - parsing & printing test of ipf rules
in - parsing & printing test of ipnat rules
ipv6 - ipv6 filter rule tests
l - logging test
n - NAT testing
ni - combined NAT & IPF tests
TEST
f1 - block/pass, in/out.
f2 - proto
f3 - from IP#
f4 - to #IP
f5 - source port
f6 - destination port
f7 - icmp-type, code
f8 - flags
f9 - ipoptions
f10 - ipoptions
f11 - keep frag/state
f12 - short/frag
f13 - keep frag/state (fragmented packets)
f14 - from !host, to !host
f15 - groups
f16 - skip
f17 - TCP state transition on flags

4
dist/ipf/test/expected/i14 vendored
View File

@ -2,3 +2,7 @@ block in on eri0(!) all head 1
pass in on eri0(!) proto icmp from any to any group 1
pass out on ed0(!) all head 1000000
block out on ed0(!) proto udp from any to any group 1000000
block in on vm0(!) proto tcp/udp from any to any head 101
pass in proto tcp/udp from 1.1.1.1/32 to 2.2.2.2/32 group 101
pass in proto tcp from 1.0.0.1/32 to 2.0.0.2/32 group 101
pass in proto udp from 2.0.0.2/32 to 3.0.0.3/32 group 101

2
dist/ipf/test/expected/ipv6.3 vendored
View File

@ -1,5 +1,3 @@
.\" $NetBSD: ipv6.3,v 1.1.1.1 2004/03/28 08:56:27 martti Exp $
.\"
pass
nomatch
nomatch

51
dist/ipf/test/expected/n11 vendored Normal file
View File

@ -0,0 +1,51 @@
ip 20(20) 255 10.1.1.0 > 10.1.1.2
ip 20(20) 255 1.6.7.8 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 20(20) 255 10.2.2.1 > 10.1.2.1
ip 20(20) 255 10.2.2.2 > 10.1.2.1
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 20(20) 255 10.2.2.1 > 10.2.1.1
ip 20(20) 255 10.2.2.2 > 10.2.1.1
ip 20(20) 255 10.2.2.3 > 10.1.1.1
ip 20(20) 255 10.2.3.4 > 10.2.2.2
ip 20(20) 255 10.1.1.1 > 10.2.2.2
ip 20(20) 255 10.1.1.2 > 10.2.2.2
ip 20(20) 255 10.1.1.0 > 10.3.4.5
ip 20(20) 255 10.1.1.1 > 10.3.4.5
ip 20(20) 255 10.1.1.2 > 10.3.4.5
-------------------------------
ip 20(20) 255 10.2.2.2 > 10.1.1.2
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.2.2.2 > 10.1.1.1
ip 20(20) 255 10.2.2.1 > 10.1.2.1
ip 20(20) 255 10.2.2.2 > 10.1.2.1
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 20(20) 255 10.2.2.1 > 10.2.1.1
ip 20(20) 255 10.2.2.2 > 10.2.1.1
ip 20(20) 255 10.2.2.3 > 10.1.1.1
ip 20(20) 255 10.2.3.4 > 10.1.1.0
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.0
ip 20(20) 255 10.1.1.0 > 10.3.4.5
ip 20(20) 255 10.1.1.1 > 10.3.4.5
ip 20(20) 255 10.1.1.2 > 10.3.4.5
-------------------------------
ip 20(20) 255 10.3.4.0 > 10.1.1.2
ip 20(20) 255 10.3.4.1 > 10.1.1.2
ip 20(20) 255 10.3.4.2 > 10.1.1.1
ip 20(20) 255 10.2.2.1 > 10.1.2.1
ip 20(20) 255 10.2.2.2 > 10.1.2.1
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 20(20) 255 10.2.2.1 > 10.2.1.1
ip 20(20) 255 10.2.2.2 > 10.2.1.1
ip 20(20) 255 10.2.2.3 > 10.1.1.1
ip 20(20) 255 10.2.3.4 > 10.2.2.2
ip 20(20) 255 10.1.1.1 > 10.2.2.2
ip 20(20) 255 10.1.1.2 > 10.2.2.2
ip 20(20) 255 10.1.1.0 > 10.1.1.5
ip 20(20) 255 10.1.1.1 > 10.1.1.5
ip 20(20) 255 10.1.1.2 > 10.1.1.5
-------------------------------

8
dist/ipf/test/expected/n8 vendored
View File

@ -1,5 +1,5 @@
4500 0054 8bc1 0000 ff01 13d5 0a0a 0a01 0404 0404 0800 e392 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 db8b 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 8bc1 0000 ff01 13d5 0a0a 0a01 0404 0404 0800 e391 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 db8a 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 8bc1 0000 ff01 13d5 0a0a 0a01 0404 0404 0800 efdf 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 f7df 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 8bc1 0000 ff01 13d5 0a0a 0a01 0404 0404 0800 efde 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 f7de 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
-------------------------------

8
dist/ipf/test/expected/n9 vendored
View File

@ -1,5 +1,5 @@
4500 0054 8bc1 0000 ff01 17d9 0202 0202 0a0a 0a01 0800 e392 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 db8b 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 8bc1 0000 ff01 17d9 0202 0202 0a0a 0a01 0800 e391 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 db8a 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 8bc1 0000 ff01 17d9 0202 0202 0a0a 0a01 0800 efdf 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 f7df 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 8bc1 0000 ff01 17d9 0202 0202 0a0a 0a01 0800 efde 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 f7de 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
-------------------------------

5
dist/ipf/test/expected/ni10 vendored Normal file
View File

@ -0,0 +1,5 @@
4500 003c 4706 4000 ff06 20a2 0404 0404 0606 0606 5000 0050 0000 0001 0000 0000 a002 16d0 d0da 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
4500 0038 0000 0000 ff01 afb9 0202 0202 0404 0404 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28aa 0404 0404 0202 0202 5000 0050 0000 0001
4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404 0303 113f 0000 0000 4500 003c 4706 4000 ff06 20a2 0404 0404 0606 0606 5000 0050 0000 0001 0000 0000 a002 16d0 d0da 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28ab 0404 0404 0202 0201 5000 0050 0000 0001
-------------------------------

5
dist/ipf/test/expected/ni11 vendored Normal file
View File

@ -0,0 +1,5 @@
4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
4500 0038 0000 0000 ff01 a7b9 0a02 0202 0404 0404 0303 a7fb 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001
4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404 0303 0735 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001
-------------------------------

5
dist/ipf/test/expected/ni12 vendored Normal file
View File

@ -0,0 +1,5 @@
4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9c40 0000 0001 0000 0000 a002 16d0 3ef4 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001
4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404 0303 0735 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001
-------------------------------

16
dist/ipf/test/expected/ni6 vendored
View File

@ -1,9 +1,9 @@
4500 0054 cd8a 4000 ff11 1fbb c0a8 0601 c0a8 0701 8075 006f 0040 0000 3e1d d249 0000 0000 0000 0002 0001 86a0 0000 0002 0000 0003 0000 0000 0000 0000 0000 0000 0000 0000 0001 86a3 0000 0003 0000 0011 0000 0000
4500 0054 0000 4000 ff11 ed43 c0a8 0702 c0a8 0701 8075 006f 0040 0000 3e1d d249 0000 0000 0000 0002 0001 86a0 0000 0002 0000 0003 0000 0000 0000 0000 0000 0000 0000 0000 0001 86a3 0000 0003 0000 0011 0000 0000
4500 0038 cd83 4000 ff11 1fde c0a8 0701 c0a8 0601 006f 8075 0024 0000 3e1d d249 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 0000 0801
4500 0038 0001 4000 ff11 ed5e c0a8 0602 c0a8 0601 006f 8075 0024 d904 3e1d d249 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 0000 0801
4500 0044 d5a6 4000 ff11 17af c0a8 0601 c0a8 0701 80df 0801 0030 0000 3e10 1fb1 0000 0000 0000 0002 0001 86a3 0000 0002 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
4500 0044 0002 4000 ff11 ed51 c0a8 0702 c0a8 0701 80df 0801 0030 0000 3e10 1fb1 0000 0000 0000 0002 0001 86a3 0000 0002 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
4500 0034 0000 4000 fe11 f065 c0a8 0701 c0a8 0601 0801 80df 0020 0000 3e10 1fb1 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000
4500 0034 0003 4000 fe11 f060 c0a8 0602 c0a8 0601 0801 80df 0020 0000 3e10 1fb1 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000
4500 0054 cd8a 4000 ff11 1fbb c0a8 0601 c0a8 0701 8075 006f 0040 d26e 3e1d d249 0000 0000 0000 0002 0001 86a0 0000 0002 0000 0003 0000 0000 0000 0000 0000 0000 0000 0000 0001 86a3 0000 0003 0000 0011 0000 0000
4500 0054 0000 4000 ff11 ec44 c0a8 0702 c0a8 0701 8075 006f 0040 d16d 3e1d d249 0000 0000 0000 0002 0001 86a0 0000 0002 0000 0003 0000 0000 0000 0000 0000 0000 0000 0000 0001 86a3 0000 0003 0000 0011 0000 0000
4500 0038 cd83 4000 ff11 1fde c0a8 0701 c0a8 0601 006f 8075 0024 d805 3e1d d249 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 0000 0801
4500 0038 0001 4000 ff11 ee5f c0a8 0602 c0a8 0601 006f 8075 0024 d904 3e1d d249 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 0000 0801
4500 0044 d5a6 4000 ff11 17af c0a8 0601 c0a8 0701 80df 0801 0030 03f1 3e10 1fb1 0000 0000 0000 0002 0001 86a3 0000 0002 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
4500 0044 0002 4000 ff11 ec52 c0a8 0702 c0a8 0701 80df 0801 0030 02f0 3e10 1fb1 0000 0000 0000 0002 0001 86a3 0000 0002 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
4500 0034 0000 4000 fe11 ee65 c0a8 0701 c0a8 0601 0801 80df 0020 8ab8 3e10 1fb1 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000
4500 0034 0003 4000 fe11 ef61 c0a8 0602 c0a8 0601 0801 80df 0020 0000 3e10 1fb1 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000
-------------------------------

3
dist/ipf/test/expected/ni7 vendored Normal file
View File

@ -0,0 +1,3 @@
4500 0028 4706 4000 0111 1eac 0404 0404 0606 0606 afc9 829e 0014 6308 0402 0000 3be5 468d 000a cfc3
4500 0038 0000 0000 ff01 afb9 0202 0202 0404 0404 0b00 f91c 0000 0000 4500 0028 4706 4000 0111 26b4 0404 0404 0202 0202 afc9 829e 0014 c966
-------------------------------

5
dist/ipf/test/expected/ni8 vendored Normal file
View File

@ -0,0 +1,5 @@
4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
4500 0038 0000 0000 ff01 a7b9 0a02 0202 0404 0404 0303 a7fb 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001
4500 0058 0001 0000 ff01 a798 0a02 0202 0404 0404 0303 1137 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 0000 0000 a002 16d0 cc32 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
4500 0038 0002 0000 ff01 abb3 0303 0303 0505 0505 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001
-------------------------------

5
dist/ipf/test/expected/ni9 vendored Normal file
View File

@ -0,0 +1,5 @@
4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9c40 0000 0001 0000 0000 a002 16d0 3ef4 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
4500 0038 0000 0000 ff01 adb7 0303 0303 0404 0404 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001
4500 0058 0001 0000 ff01 ad96 0303 0303 0404 0404 0303 0735 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
4500 0038 0002 0000 ff01 abb3 0303 0303 0505 0505 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001
-------------------------------

2
dist/ipf/test/input/ipv6.3 vendored
View File

@ -1,5 +1,3 @@
.\" $NetBSD: ipv6.3,v 1.1.1.1 2004/03/28 08:56:29 martti Exp $
.\"
[out,gif0]
6000 0000 0010 3a40 3ffe 8280 0000 2001
0000 0000 0000 4395 3ffe 8280 0000 2001

16
dist/ipf/test/input/n11 vendored Normal file
View File

@ -0,0 +1,16 @@
out on zx0 255 10.1.1.0 10.1.1.2
out on zx0 255 10.1.1.1 10.1.1.2
out on zx0 255 10.1.1.2 10.1.1.1
out on zx0 255 10.2.2.1 10.1.2.1
out on zx0 255 10.2.2.2 10.1.2.1
in on zx0 255 10.1.1.1 10.1.1.2
in on zx0 255 10.1.1.2 10.1.1.1
in on zx0 255 10.2.2.1 10.2.1.1
in on zx0 255 10.2.2.2 10.2.1.1
in on zx0 255 10.2.2.3 10.1.1.1
in on zx0 255 10.2.3.4 10.2.2.2
in on zx0 255 10.1.1.1 10.2.2.2
in on zx0 255 10.1.1.2 10.2.2.2
in on zx0 255 10.1.1.0 10.3.4.5
in on zx0 255 10.1.1.1 10.3.4.5
in on zx0 255 10.1.1.2 10.3.4.5

16
dist/ipf/test/input/n8 vendored
View File

@ -1,28 +1,28 @@
#v tos len id off ttl p sum src dst
# ICMP ECHO (ping) exchange
[out,icmp0] 45 00 0054 8bc1 0000 ff 01 23dc 0202 0202 0404 0404
0800 e392 6220 0000 3f6f 6e80 000b
[out,icmp0] 4500 0054 8bc1 0000 ff01 23dc 0202 0202 0404 0404
0800 efdf 6220 0000 3f6f 6e80 000b
0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415
1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
3637
[in,icmp0] 45 00 0054 3fd5 4000 ff 01 1fc1 0404 0404 0a0a 0a01
0000 db8b 6220 0000 3f6f 6e80 000b
[in,icmp0] 4500 0054 3fd5 4000 ff01 1fc1 0404 0404 0a0a 0a01
0000 f7df 6220 0000 3f6f 6e80 000b
0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415
1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
3637
[out,icmp0] 45 00 0054 8bc1 0000 ff 01 23dc 0202 0202 0404 0404
0800 e391 6220 0001 3f6f 6e80 000b
[out,icmp0] 4500 0054 8bc1 0000 ff01 23dc 0202 0202 0404 0404
0800 efde 6220 0001 3f6f 6e80 000b
0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415
1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
3637
[in,icmp0] 45 00 0054 3fd5 4000 ff 01 1fc1 0404 0404 0a0a 0a01
0000 db8a 6220 0001 3f6f 6e80 000b
[in,icmp0] 4500 0054 3fd5 4000 ff01 1fc1 0404 0404 0a0a 0a01
0000 f7de 6220 0001 3f6f 6e80 000b
0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415
1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
2627 2829 2a2b 2c2d 2e2f 3031 3233 3435

16
dist/ipf/test/input/n9 vendored
View File

@ -1,28 +1,28 @@
#v tos len id off ttl p sum src dst
# ICMP ECHO (ping) exchange
[in,icmp0] 45 00 0054 8bc1 0000 ff 01 23dc 0202 0202 0404 0404
0800 e392 6220 0000 3f6f 6e80 000b
[in,icmp0] 4500 0054 8bc1 0000 ff01 23dc 0202 0202 0404 0404
0800 efdf 6220 0000 3f6f 6e80 000b
0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415
1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
3637
[out,icmp0] 45 00 0054 3fd5 4000 ff 01 23c5 0a0a 0a01 0202 0202
0000 db8b 6220 0000 3f6f 6e80 000b
[out,icmp0] 4500 0054 3fd5 4000 ff01 23c5 0a0a 0a01 0202 0202
0000 f7df 6220 0000 3f6f 6e80 000b
0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415
1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
3637
[in,icmp0] 45 00 0054 8bc1 0000 ff 01 23dc 0202 0202 0404 0404
0800 e391 6220 0001 3f6f 6e80 000b
[in,icmp0] 4500 0054 8bc1 0000 ff01 23dc 0202 0202 0404 0404
0800 efde 6220 0001 3f6f 6e80 000b
0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415
1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
3637
[out,icmp0] 45 00 0054 3fd5 4000 ff 01 23c5 0a0a 0a01 0202 0202
0000 db8a 6220 0001 3f6f 6e80 000b
[out,icmp0] 4500 0054 3fd5 4000 ff01 23c5 0a0a 0a01 0202 0202
0000 f7de 6220 0001 3f6f 6e80 000b
0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415
1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
2627 2829 2a2b 2c2d 2e2f 3031 3233 3435

19
dist/ipf/test/input/ni10 vendored Normal file
View File

@ -0,0 +1,19 @@
#v tos len id off ttl p sum src dst
# ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet
# going out)
[in,df0] 45 00 00 3c 47 06 40 00 ff 06 28 aa 04 04 04 04 02 02 02 02 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d8 e2 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00
[out,df0]
4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404
0303 acab 0000 0000
4500 003c 4706 4000 ff06 20a2 0404 0404 0606 0606
5000 0050 0000 0001
# ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits)
[out,df0] 45 00 00 58 80 9a 00 00 ff 01 2c fd 03 03 03 03 04 04 04 04 03 03 11 3f 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 04 04 04 04 06 06 06 06 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d0 da 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00
[out,df0]
4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505
0303 acab 0000 0000
4500 003c 4706 4000 ff06 28ab 0404 0404 0202 0201 5000 0050 0000 0001

24
dist/ipf/test/input/ni11 vendored Normal file
View File

@ -0,0 +1,24 @@
#v tos len id off ttl p sum src dst
# ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet
# going out)
[in,df0] 45 00 00 3c 47 06 40 00 ff 06 20 aa 04 04 04 04 0a 02 02 02 50 00 05 00 00 00 00 01 00 00 00 00 a0 02 16 d0 cc 32 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00
[out,df0]
4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404
0303 0fa3 0000 0000
4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101
5000 9d58 0000 0001
# ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits)
[out,df0]
4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404
0303 0735 0000 0000
4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101
5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000
0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
[out,df0]
4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505
0303 0fa3 0000 0000
4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001

24
dist/ipf/test/input/ni12 vendored Normal file
View File

@ -0,0 +1,24 @@
#v tos len id off ttl p sum src dst
# ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet
# going out)
[in,df0] 45 00 00 3c 47 06 40 00 ff 06 20 aa 04 04 04 04 0a 02 02 02 50 00 05 00 00 00 00 01 00 00 00 00 a0 02 16 d0 cc 32 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00
[out,df0]
4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404
0303 0fa3 0000 0000
4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101
5000 9d58 0000 0001
# ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits)
[out,df0]
4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404
0303 0735 0000 0000
4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101
5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000
0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
[out,df0]
4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505
0303 0fa3 0000 0000
4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001

22
dist/ipf/test/input/ni6 vendored
View File

@ -1,14 +1,14 @@
[in,nf0]
4500 0054 cd8a 4000 ff11 20ba c0a8 0601
c0a8 0602 8075 006f 0040 0000 3e1d d249
c0a8 0602 8075 006f 0040 d36d 3e1d d249
0000 0000 0000 0002 0001 86a0 0000 0002
0000 0003 0000 0000 0000 0000 0000 0000
0000 0000 0001 86a3 0000 0003 0000 0011
0000 0000
[out,qfe0]
4500 0054 cd8a 4000 ff11 20ba c0a8 0601
c0a8 0701 8075 006f 0040 0000 3e1d d249
4500 0054 cd8a 4000 ff11 1fbb c0a8 0601
c0a8 0701 8075 006f 0040 d26e 3e1d d249
0000 0000 0000 0002 0001 86a0 0000 0002
0000 0003 0000 0000 0000 0000 0000 0000
0000 0000 0001 86a3 0000 0003 0000 0011
@ -16,38 +16,38 @@ c0a8 0701 8075 006f 0040 0000 3e1d d249
[in,qfe0]
4500 0038 cd83 4000 ff11 1edd c0a8 0701
c0a8 0702 006f 8075 0024 0000 3e1d d249
c0a8 0702 006f 8075 0024 d704 3e1d d249
0000 0001 0000 0000 0000 0000 0000 0000
0000 0000 0000 0801
[out,nf0]
4500 0038 cd83 4000 ff11 1edd c0a8 0701
4500 0038 cd83 4000 ff11 1fde c0a8 0701
c0a8 0601 006f 8075 0024 d805 3e1d d249
0000 0001 0000 0000 0000 0000 0000 0000
0000 0000 0000 0801
[in,nf0]
4500 0044 d5a6 4000 ff11 18ae c0a8 0601
c0a8 0602 80df 0801 0030 0000 3e10 1fb1
c0a8 0602 80df 0801 0030 04f0 3e10 1fb1
0000 0000 0000 0002 0001 86a3 0000 0002
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000
[out,qfe0]
4500 0044 d5a6 4000 ff11 18ae c0a8 0601
c0a8 0701 80df 0801 0030 0000 3e10 1fb1
4500 0044 d5a6 4000 ff11 17af c0a8 0601
c0a8 0701 80df 0801 0030 03f1 3e10 1fb1
0000 0000 0000 0002 0001 86a3 0000 0002
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000
[in,qfe0]
4500 0034 0000 4000 fe11 ef64 c0a8 0701
c0a8 0702 0801 80df 0020 0000 3e10 1fb1
4500 0034 0000 4000 fe11 ed64 c0a8 0701
c0a8 0702 0801 80df 0020 89b7 3e10 1fb1
0000 0001 0000 0000 0000 0000 0000 0000
0000 0000
[out,nf0]
4500 0034 0000 4000 fe11 ef64 c0a8 0701
4500 0034 0000 4000 fe11 ee65 c0a8 0701
c0a8 0601 0801 80df 0020 0000 3e10 1fb1
0000 0001 0000 0000 0000 0000 0000 0000
0000 0000

13
dist/ipf/test/input/ni7 vendored Normal file
View File

@ -0,0 +1,13 @@
#v tos len id off ttl p sum src dst
# ICMP timeout exceeded in reply to a ICMP packet coming in.
[in,df0]
4500 0028 4706 4000 0111 26b4 0404 0404
0202 0202 afc9 829e 0014 6b10 0402 0000
3be5 468d 000a cfc3
[out,df0]
4500 0038 809a 0000 ff01 2d1d 0303 0303
0404 0404 0b00 0125 0000 0000 4500 0028
4706 4000 0111 1eac 0404 0404 0606 0606
afc9 829e 0014 c15e

24
dist/ipf/test/input/ni8 vendored Normal file
View File

@ -0,0 +1,24 @@
#v tos len id off ttl p sum src dst
# ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet
# going out)
[in,df0] 45 00 00 3c 47 06 40 00 ff 06 20 aa 04 04 04 04 0a 02 02 02 50 00 05 00 00 00 00 01 00 00 00 00 a0 02 16 d0 cc 32 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00
[out,df0]
4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404
0303 0fa3 0000 0000
4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101
5000 9d58 0000 0001
# ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits)
[out,df0]
4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404
0303 0735 0000 0000
4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101
5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000
0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
[out,df0]
4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505
0303 0fa3 0000 0000
4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001

24
dist/ipf/test/input/ni9 vendored Normal file
View File

@ -0,0 +1,24 @@
#v tos len id off ttl p sum src dst
# ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet
# going out)
[in,df0] 45 00 00 3c 47 06 40 00 ff 06 20 aa 04 04 04 04 0a 02 02 02 50 00 05 00 00 00 00 01 00 00 00 00 a0 02 16 d0 cc 32 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00
[out,df0]
4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404
0303 0fa3 0000 0000
4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101
5000 9d58 0000 0001
# ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits)
[out,df0]
4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404
0303 0735 0000 0000
4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101
5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000
0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
[out,df0]
4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505
0303 0fa3 0000 0000
4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001

4
dist/ipf/test/regress/i14 vendored
View File

@ -2,3 +2,7 @@ block in on eri0 all head 1
pass in on eri0 proto icmp all group 1
pass out on ed0 all head 1000000
block out on ed0 proto udp all group 1000000
block in on vm0 proto tcp/udp all head 101
pass in from 1.1.1.1 to 2.2.2.2 group 101
pass in proto tcp from 1.0.0.1 to 2.0.0.2 group 101
pass in proto udp from 2.0.0.2 to 3.0.0.3 group 101

2
dist/ipf/test/regress/ipv6.3 vendored
View File

@ -1,3 +1 @@
.\" $NetBSD: ipv6.3,v 1.1.1.1 2004/03/28 08:56:29 martti Exp $
.\"
pass out log quick on gif0 proto ipv6-icmp from any to any icmp-type 128 keep state

3
dist/ipf/test/regress/n11 vendored Normal file
View File

@ -0,0 +1,3 @@
bimap zx0 10.1.1.1/32 -> 1.6.7.8/32
bimap zx0 10.1.1.0/24 -> 10.2.2.2/32
bimap zx0 10.1.1.0/24 -> 10.3.4.5/24

4
dist/ipf/test/regress/ni10.ipf vendored Normal file
View File

@ -0,0 +1,4 @@
block in all
block out all
pass in proto udp from any to any keep state
pass in proto tcp from any to any flags S keep state

1
dist/ipf/test/regress/ni10.nat vendored Normal file
View File

@ -0,0 +1 @@
rdr df0 2.2.2.2/32 -> 6.6.6.6

4
dist/ipf/test/regress/ni11.ipf vendored Normal file
View File

@ -0,0 +1,4 @@
block in all
block out all
pass in proto udp from any to any keep state
pass in proto tcp from any to any flags S keep state

1
dist/ipf/test/regress/ni11.nat vendored Normal file
View File

@ -0,0 +1 @@
rdr df0 10.0.0.0/8 port 1000:2000 -> 1.1.1.1 port 40000 tcp/udp

4
dist/ipf/test/regress/ni12.ipf vendored Normal file
View File

@ -0,0 +1,4 @@
block in all
block out all
pass in proto udp from any to any keep state
pass in proto tcp from any to any flags S keep state

1
dist/ipf/test/regress/ni12.nat vendored Normal file
View File

@ -0,0 +1 @@
rdr df0 10.0.0.0/8 port 1000:2000 -> 1.1.1.1 port = 40000 tcp/udp

4
dist/ipf/test/regress/ni7.ipf vendored Normal file
View File

@ -0,0 +1,4 @@
block in all
block out all
pass in proto udp from any to any keep state
pass in proto tcp from any to any flags S keep state

1
dist/ipf/test/regress/ni7.nat vendored Normal file
View File

@ -0,0 +1 @@
rdr df0 2.2.2.2/32 -> 6.6.6.6

1
dist/ipf/test/regress/ni8.ipf vendored Normal file
View File

@ -0,0 +1 @@
pass in quick proto tcp from any to any flags S/SAFR keep state

1
dist/ipf/test/regress/ni8.nat vendored Normal file
View File

@ -0,0 +1 @@
rdr df0 10.0.0.0/8 port 1000:2000 -> 1.1.1.1 port 40000 tcp/udp

1
dist/ipf/test/regress/ni9.ipf vendored Normal file
View File

@ -0,0 +1 @@
pass in quick proto tcp from any to any flags S/SAFR keep state

1
dist/ipf/test/regress/ni9.nat vendored Normal file
View File

@ -0,0 +1 @@
rdr df0 10.0.0.0/8 port 1000:2000 -> 1.1.1.1 port = 40000 tcp/udp

8
dist/ipf/test/test.format vendored
View File

@ -52,12 +52,20 @@ n7 text text
n8 hex hex fr_update_ipid=0
n9 hex hex fr_update_ipid=0
n10 hex hex fr_update_ipid=0
n11 text text
ni1 hex hex fr_update_ipid=1
ni2 hex hex fr_update_ipid=1
ni3 hex hex fr_update_ipid=1
ni4 hex hex fr_update_ipid=1
ni5 hex hex fr_update_ipid=1
ni6 hex hex fr_update_ipid=1
ni7 hex hex fr_update_ipid=1
ni8 hex hex fr_update_ipid=1
ni9 hex hex fr_update_ipid=1
ni10 hex hex fr_update_ipid=1
ni11 hex hex fr_update_ipid=1
ni12 hex hex fr_update_ipid=1
ni13 hex hex fr_update_ipid=1
p1 text text
p2 text text
p3 text text

269
dist/ipf/test/vfycksum.pl vendored Normal file
View File

@ -0,0 +1,269 @@
#
# validate the IPv4 header checksum.
# $bytes[] is an array of 16bit values, with $cnt elements in the array.
#
sub dosum {
local($seed) = $_[0];
local($start) = $_[1];
local($max) = $_[2];
local($idx) = $start;
local($lsum) = $seed;
for ($idx = $start, $lsum = $seed; $idx < $max; $idx++) {
$lsum += $bytes[$idx];
}
while ($lsum > 65535) {
$lsum = ($lsum & 0xffff) + ($lsum >> 16);
}
$lsum = ~$lsum & 0xffff;
return $lsum;
}
sub ipv4check {
local($base) = $_[0];
$hl = $bytes[$base] / 256;
return if (($hl >> 4) != 4); # IPv4 ?
$hl &= 0xf;
$hl <<= 1; # get the header length in 16bit words
$hs = &dosum(0, $base, $base + $hl);
$osum = $bytes[$base + 5];
if ($hs != 0) {
$bytes[$base + 5] = 0;
$hs2 = &dosum($base, 0, $base + $hl);
$bytes[$base + 5] = $osum;
printf " IP: (%x) %x != %x", $hs, $osum, $hs2;
} else {
print " IP($base): ok ";
}
#
# Recognise TCP & UDP and calculate checksums for each of these.
#
if (($bytes[$base + 4] & 0xff) == 6) {
&tcpcheck($base);
}
if (($bytes[$base + 4] & 0xff) == 17) {
&udpcheck($base);
}
if (($bytes[$base + 4] & 0xff) == 1) {
&icmpcheck($base);
}
if ($base == 0) {
print "\n";
}
}
sub tcpcheck {
local($base) = $_[0];
local($hl) = $bytes[$base] / 256;
return if (($hl >> 4) != 4);
return if ($bytes[3] & 0x1fff);
$hl &= 0xf;
$hl <<= 1;
local($hs2);
local($hs) = 6; # TCP
local($len) = $bytes[$base + 1] - ($hl << 1);
$hs += $len;
$hs += $bytes[$base + 6]; # source address
$hs += $bytes[$base + 7];
$hs += $bytes[$base + 8]; # destination address
$hs += $bytes[$base + 9];
local($tcpsum) = $hs;
local($thl) = $bytes[$base + $hl + 6] >> 8;
$thl &= 0xf0;
$thl >>= 2;
if ($bytes[$base + 1] > ($cnt - $base) * 2) {
print " TCP: missing data(1)";
return;
} elsif (($cnt - $base) * 2 < $hl + 20) {
print " TCP: missing data(2)";
return;
} elsif (($cnt - $base) * 2 < $hl + $thl) {
print " TCP: missing data(3)";
return;
}
local($tcpat) = $base + $hl;
$hs = &dosum($tcpsum, $tcpat, $cnt);
if ($hs != 0) {
local($osum) = $bytes[$tcpat + 8];
$bytes[$base + $hl + 8] = 0;
$hs2 = &dosum($tcpsum, $tcpat, $cnt);
$bytes[$tcpat + 8] = $osum;
printf " TCP: (%x) %x != %x", $hs, $osum, $hs2;
} else {
print " TCP: ok";
}
}
sub udpcheck {
local($base) = $_[0];
local($hl) = $bytes[0] / 256;
return if (($hl >> 4) != 4);
return if ($bytes[3] & 0x1fff);
$hl &= 0xf;
$hl <<= 1;
local($hs2);
local($hs) = 17; # UDP
local($len) = $bytes[$base + 1] - ($hl << 1);
$hs += $len;
$hs += $bytes[$base + 6]; # source address
$hs += $bytes[$base + 7];
$hs += $bytes[$base + 8]; # destination address
$hs += $bytes[$base + 9];
local($udpsum) = $hs;
if ($bytes[$base + 1] > ($cnt - $base) * 2) {
print " UDP: missing data(1)";
return;
} elsif ($bytes[$base + 1] < ($hl << 1) + 8) {
print " UDP: missing data(2)";
return;
} elsif (($cnt - $base) * 2 < ($hl << 1) + 8) {
print " UDP: missing data(3)";
return;
}
local($udpat) = $base + $hl;
$hs = &dosum($udpsum, $udpat, $cnt);
local($osum) = $bytes[$udpat + 3];
#
# It is valid for UDP packets to have a 0 checksum field.
# If it is 0, then display what it would otherwise be.
#
if ($osum == 0) {
printf " UDP: => %x", $hs;
} elsif ($hs != 0) {
$bytes[$udpat + 3] = 0;
$hs2 = &dosum($udpsum, $udpat, $cnt);
$bytes[$udpat + 3] = $osum;
printf " UDP: (%x) %x != %x", $hs, $osum, $hs2;
} else {
print " UDP: ok";
}
}
sub icmpcheck {
local($base) = $_[0];
local($hl) = $bytes[$base + 0] / 256;
return if (($hl >> 4) != 4);
return if ($bytes[3] & 0x1fff);
$hl &= 0xf;
$hl <<= 1;
local($hs);
local($hs2);
local($len) = $bytes[$base + 1] - ($hl << 1);
if ($len > $cnt * 2) {
print "missing icmp data\n";
}
local($osum) = $bytes[$base + $hl + 1];
$bytes[$hl + 1] = 0;
for ($i = $base + $hl, $hs2 = 0; $i < $cnt; $i++) {
$hs2 += $bytes[$i];
}
$hs = $hs2 + $osum;
while ($hs2 > 65535) {
$hs2 = ($hs2 & 0xffff) + ($hs2 >> 16);
}
while ($hs > 65535) {
$hs = ($hs & 0xffff) + ($hs >> 16);
}
$hs2 = ~$hs2 & 0xffff;
$hs = ~$hs & 0xffff;
if ($osum != $hs2) {
printf " ICMP: (%x) %x != %x", $hs, $osum, $hs2;
} else {
print " ICMP: ok";
}
if ($base == 0) {
$type = $bytes[$hl] >> 8;
if ($type == 3 || $type == 4 || $type == 5 ||
$type == 11 || $type == 12) {
&ipv4check($hl + 4);
}
}
}
while ($#ARGV >= 0) {
open(I, "$ARGV[0]") || die $!;
print "--- $ARGV[0] ---\n";
$multi = 0;
while (<I>) {
chop;
s/#.*//g;
#
# If the first non-comment, non-empty line of input starts
# with a '[', then allow the input to be a multi-line hex
# string, otherwise it has to be all on one line.
#
if (/^\[/) {
$multi=1;
s/^\[[^]]*\]//g;
}
s/^ *//g;
if (length == 0) {
next if ($cnt == 0);
&ipv4check(0);
$cnt = 0;
$multi = 0;
next;
}
#
# look for 16 bits, represented with leading 0's as required,
# in hex.
#
s/\t/ /g;
while (/^[0-9a-fA-F][0-9a-fA-F] [0-9a-fA-F][0-9a-fA-F] .*/) {
s/^([0-9a-fA-F][0-9a-fA-F]) ([0-9a-fA-F][0-9a-fA-F]) (.*)/$1$2 $3/;
}
while (/.* [0-9a-fA-F][0-9a-fA-F] [0-9a-fA-F][0-9a-fA-F] .*/) {
$b=$_;
s/(.*?) ([0-9a-fA-F][0-9a-fA-F]) ([0-9a-fA-F][0-9a-fA-F]) (.*)/$1 $2$3 $4/g;
}
while (/^[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F].*/) {
$x = $_;
$x =~ s/([0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]).*/$1/;
$x =~ s/ *//g;
$y = hex $x;
s/[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F] *(.*)/$1/;
$bytes[$cnt] = $y;
#print "bytes[$cnt] = $x\n";
$cnt++;
}
#
# Pick up stragler bytes.
#
if (/^[0-9a-fA-F][0-9a-fA-F]/) {
$y = hex $_;
$bytes[$cnt++] = $y * 256;
}
if ($multi == 0 && $cnt > 0) {
&ipv4check(0);
$cnt = 0;
}
}
if ($cnt > 0) {
&ipv4check(0);
}
close(I);
shift(@ARGV);
}

12
dist/ipf/tools/Makefile vendored
View File

@ -9,7 +9,9 @@ all: $(DEST)/ipf_y.c $(DEST)/ipf_y.h $(DEST)/ipf_l.c \
$(DEST)/ipf_l.h $(DEST)/ipnat_l.h $(DEST)/ipscan_l.h \
$(DEST)/ippool_l.h $(DEST)/ipmon_l.h
$(DEST)/ipf_y.c $(DEST)/ipf_y.h: ipf_y.y
$(DEST)/ipf_y.h: $(DEST)/ipf_y.c
$(DEST)/ipf_y.c: ipf_y.y
yacc -d ipf_y.y
sed -e 's/yy/ipf_yy/g' -e 's/y.tab.h/ipf_y.c/' \
-e 's/"ipf_y.y"/"..\/tools\/ipf_y.y"/' \
@ -21,6 +23,8 @@ $(DEST)/ipf_l.c: lexer.c
sed -e 's/yy/ipf_yy/g' -e 's/y.tab.h/ipf_y.h/' \
-e 's/lexer.h/ipf_l.h/' lexer.c > $@
$(DEST)/ipmon_y.n: $(DEST)/ipmon_y.c
$(DEST)/ipmon_y.c $(DEST)/ipmon_y.h: ipmon_y.y
yacc -d ipmon_y.y
sed -e 's/yy/ipmon_yy/g' -e 's/"ipmon_y.y"/"..\/tools\/ipmon_y.y"/' \
@ -32,6 +36,8 @@ $(DEST)/ipmon_l.c: lexer.c
sed -e 's/yy/ipmon_yy/g' -e 's/y.tab.h/ipmon_y.h/' \
-e 's/lexer.h/ipmon_l.h/' lexer.c > $@
$(DEST)/ipscan_y.h: $(DEST)/ipscan_y.c
$(DEST)/ipscan_y.c $(DEST)/ipscan_y.h: ipscan_y.y
yacc -d ipscan_y.y
sed -e 's/yy/ipscan_yy/g' \
@ -44,6 +50,8 @@ $(DEST)/ipscan_l.c: lexer.c
sed -e 's/yy/ipscan_yy/g' -e 's/y.tab.h/ipscan_y.h/' \
-e 's/lexer.h/ipscan_l.h/' lexer.c > $@
$(DEST)/ippool_y.h: $(DEST)/ippool_y.c
$(DEST)/ippool_y.c $(DEST)/ippool_y.h: ippool_y.y
yacc -d ippool_y.y
sed -e 's/yy/ippool_yy/g' -e 's/"ippool_y.y"/"..\/tools\/ippool_y.y"/' \
@ -55,6 +63,8 @@ $(DEST)/ippool_l.c: lexer.c
sed -e 's/yy/ippool_yy/g' -e 's/y.tab.h/ippool_y.h/' \
-e 's/lexer.h/ippool_l.h/' lexer.c > $@
$(DEST)/ipnat_y.h: $(DEST)/ipnat_y.c
$(DEST)/ipnat_y.c $(DEST)/ipnat_y.h: ipnat_y.y
yacc -d ipnat_y.y
sed -e 's/yy/ipnat_yy/g' -e 's/y.tab.c/ipnat_y.c/' \

42
dist/ipf/tools/ipf.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipf.c,v 1.1.1.1 2004/03/28 08:56:30 martti Exp $ */
/* $NetBSD: ipf.c,v 1.1.1.2 2004/07/23 05:34:47 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -21,7 +21,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ipf.c,v 1.35.2.1 2004/03/06 14:33:35 darrenr Exp";
static const char rcsid[] = "@(#)Id: ipf.c,v 1.35.2.2 2004/04/16 23:58:25 darrenr Exp";
#endif
#if !defined(__SVR4) && defined(__GNUC__)
@ -352,9 +352,22 @@ char *arg;
rem = fl;
closedevice();
if (opendevice(IPSTATE_NAME, 1) != -2 &&
ioctl(fd, SIOCIPFFL, &fl) == -1)
perror("ioctl(SIOCIPFFL)");
if (opendevice(IPSTATE_NAME, 1) == -2)
exit(1);
if (!(opts & OPT_DONOTHING)) {
if (use_inet6) {
if (ioctl(fd, SIOCIPFL6, &fl) == -1) {
perror("ioctl(SIOCIPFL6)");
exit(1);
}
} else {
if (ioctl(fd, SIOCIPFFL, &fl) == -1) {
perror("ioctl(SIOCIPFFL)");
exit(1);
}
}
}
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
printf("remove flags %s (%d)\n", arg, rem);
printf("removed %d filter rules\n", fl);
@ -390,8 +403,23 @@ char *arg;
fl |= FR_INACTIVE;
rem = fl;
if (opendevice(ipfname, 1) != -2 && ioctl(fd, SIOCIPFFL, &fl) == -1)
perror("ioctl(SIOCIPFFL)");
if (opendevice(ipfname, 1) == -2)
exit(1);
if (!(opts & OPT_DONOTHING)) {
if (use_inet6) {
if (ioctl(fd, SIOCIPFL6, &fl) == -1) {
perror("ioctl(SIOCIPFL6)");
exit(1);
}
} else {
if (ioctl(fd, SIOCIPFFL, &fl) == -1) {
perror("ioctl(SIOCIPFFL)");
exit(1);
}
}
}
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
printf("remove flags %s%s (%d)\n", (rem & FR_INQUE) ? "I" : "",
(rem & FR_OUTQUE) ? "O" : "", rem);

11
dist/ipf/tools/ipfcomp.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipfcomp.c,v 1.1.1.1 2004/03/28 08:56:30 martti Exp $ */
/* $NetBSD: ipfcomp.c,v 1.1.1.2 2004/07/23 05:34:47 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ipfcomp.c,v 1.24 2004/01/24 16:04:29 darrenr Exp";
static const char rcsid[] = "@(#)Id: ipfcomp.c,v 1.24.2.2 2004/04/28 10:34:44 darrenr Exp";
#endif
#include "ipf.h"
@ -123,6 +123,8 @@ frentry_t *fr;
fprintf(fp, "#ifndef _KERNEL\n");
fprintf(fp, "# include <string.h>\n");
fprintf(fp, "#endif /* _KERNEL */\n");
fprintf(fp, "\n");
fprintf(fp, "#ifdef IPFILTER_COMPILED\n");
}
addrule(fp, fr);
@ -322,7 +324,9 @@ frentry_t *fr;
}
}
emittail();
fprintf(cfile, "#endif /* IPFILTER_COMPILED */\n");
}
}
@ -1291,6 +1295,9 @@ int ipfrule_add_%s_%s()\n", instr, group);
fp->fr_flags = FR_%sQUE|FR_NOMATCH;\n\
fp->fr_data = (void *)ipf_rules_%s_%s[0];\n",
(in != 0) ? "IN" : "OUT", instr, group);
fprintf(fp, "\
fp->fr_dsize = sizeof(ipf_rules_%s_%s[0]);\n",
instr, group);
fprintf(fp, "\
fp->fr_v = 4;\n\

9
dist/ipf/tools/ipftest.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipftest.c,v 1.1.1.1 2004/03/28 08:56:32 martti Exp $ */
/* $NetBSD: ipftest.c,v 1.1.1.2 2004/07/23 05:34:50 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -12,7 +12,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ipftest.c,v 1.44.2.1 2004/03/19 23:07:33 darrenr Exp";
static const char rcsid[] = "@(#)Id: ipftest.c,v 1.44.2.2 2004/04/28 17:56:21 darrenr Exp";
#endif
extern char *optarg;
@ -622,8 +622,11 @@ void dumpnat()
for (ipn = nat_list; ipn != NULL; ipn = ipn->in_next)
printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
printf("\nList of active sessions:\n");
for (nat = nat_instances; nat; nat = nat->nat_next)
for (nat = nat_instances; nat; nat = nat->nat_next) {
printactivenat(nat, opts);
if (nat->nat_aps)
printaps(nat->nat_aps, opts);
}
}

14
dist/ipf/tools/ipmon_y.y vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipmon_y.y,v 1.1.1.1 2004/03/28 08:56:34 martti Exp $ */
/* $NetBSD: ipmon_y.y,v 1.1.1.2 2004/07/23 05:34:51 martti Exp $ */
%{
#include "ipf.h"
@ -57,7 +57,7 @@ static ipmon_action_t *alist = NULL;
%type <addr> ipv4
%type <opt> direction dstip dstport every execute group interface
%type <opt> protocol result rule srcip srcport logtag matching
%type <opt> matchopt nattag type doopt doing save syslog nothing execute
%type <opt> matchopt nattag type doopt doing save syslog nothing
%type <num> saveopts saveopt typeopt
%%
@ -70,6 +70,7 @@ file: line
line: IPM_MATCH '{' matching '}' IPM_DO '{' doing '}' ';'
{ build_action($3); resetlexer(); }
| IPM_COMMENT
| YY_COMMENT
;
assign: YY_STR assigning YY_STR ';' { set_variable($1, $3);
@ -242,6 +243,7 @@ ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER
static struct wordtab yywords[] = {
{ "body", IPM_BODY },
{ "direction", IPM_DIRECTION },
{ "do", IPM_DO },
{ "dstip", IPM_DSTIP },
{ "dstport", IPM_DSTPORT },
{ "every", IPM_EVERY },
@ -303,6 +305,7 @@ int type;
o->o_line = yylineNum;
o->o_num = 0;
o->o_str = (char *)0;
o->o_next = NULL;
return o;
}
@ -661,6 +664,13 @@ char *file;
{
ipmon_action_t *a;
FILE *fp;
char *s;
s = getenv("YYDEBUG");
if (s != NULL)
yydebug = atoi(s);
else
yydebug = 0;
while ((a = alist) != NULL) {
alist = a->ac_next;

6
dist/ipf/tools/ipnat.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipnat.c,v 1.1.1.1 2004/03/28 08:56:34 martti Exp $ */
/* $NetBSD: ipnat.c,v 1.1.1.2 2004/07/23 05:34:51 martti Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -67,7 +67,7 @@ extern char *sys_errlist[];
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)Id: ipnat.c,v 1.24 2003/11/12 09:34:33 darrenr Exp";
static const char rcsid[] = "@(#)Id: ipnat.c,v 1.24.2.1 2004/04/28 17:56:22 darrenr Exp";
#endif
@ -327,6 +327,8 @@ int opts;
if (kmemcpy((char *)&nat, (long)np, sizeof(nat)))
break;
printactivenat(&nat, opts);
if (nat.nat_aps)
printaps(nat.nat_aps, opts);
}
if (opts & OPT_VERBOSE)

30
regress/sys/kern/ipf/README.TXT Normal file
View File

@ -0,0 +1,30 @@
The contents of this directory sub tree is dedicated to regression testing
of IPFilter.
The tests are broken down into these groups:
f - filter rule tests
i - parsing & printing test of ipf rules
in - parsing & printing test of ipnat rules
ipv6 - ipv6 filter rule tests
l - logging test
n - NAT testing
ni - combined NAT & IPF tests
TEST
f1 - block/pass, in/out.
f2 - proto
f3 - from IP#
f4 - to #IP
f5 - source port
f6 - destination port
f7 - icmp-type, code
f8 - flags
f9 - ipoptions
f10 - ipoptions
f11 - keep frag/state
f12 - short/frag
f13 - keep frag/state (fragmented packets)
f14 - from !host, to !host
f15 - groups
f16 - skip
f17 - TCP state transition on flags

1
regress/sys/kern/ipf/expected/i1
View File

@ -11,4 +11,5 @@ pass in log body quick from any to any
block return-rst in quick on le0(!) proto tcp from any to any
block return-icmp in on qe0(!) from any to any
block return-icmp(host-unr) in on qe0(!) from any to any
block return-icmp-as-dest(port-unr) in on qe0(!) from any to any
pass out on longNICname0(!) from 254.220.186.152/32 to 254.220.186.152/32

4
regress/sys/kern/ipf/expected/i14
View File

@ -2,3 +2,7 @@ block in on eri0(!) all head 1
pass in on eri0(!) proto icmp from any to any group 1
pass out on ed0(!) all head 1000000
block out on ed0(!) proto udp from any to any group 1000000
block in on vm0(!) proto tcp/udp from any to any head 101
pass in proto tcp/udp from 1.1.1.1/32 to 2.2.2.2/32 group 101
pass in proto tcp from 1.0.0.1/32 to 2.0.0.2/32 group 101
pass in proto udp from 2.0.0.2/32 to 3.0.0.3/32 group 101

1
regress/sys/kern/ipf/expected/i2
View File

@ -1,6 +1,7 @@
log in proto tcp from any to any
pass in proto tcp from any to any
pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32
block in proto ipv6 from any to any
block in proto udp from any to any
block in proto 250 from any to any
pass in proto tcp/udp from any to any

1
regress/sys/kern/ipf/expected/i3
View File

@ -1,4 +1,5 @@
log in all
pass in from 128.16.0.0/16 to 129.10.10.0/24
pass in from 128.0.0.0/24 to 128.0.0.0/16
pass in from 128.0.0.0/24 to 128.0.0.0/16
pass in from 128.0.0.0/24 to 128.0.0.0/16

2
regress/sys/kern/ipf/expected/i4
View File

@ -2,6 +2,6 @@ log in proto tcp from any port > 0 to any
log in proto tcp from any to any port > 0
pass in proto tcp from any port != 0 to any port 0 >< 65535
pass in proto udp from 127.0.0.1/32 port > 32000 to 127.0.0.1/32 port < 29000
block in proto udp from any port != 123 to any port < 123
block in proto udp from any port != 123 to any port < 7
block in proto tcp from any port = 25 to any port > 25
pass in proto tcp/udp from any port 1 >< 3 to any port 1 <> 3

5
regress/sys/kern/ipf/expected/i6
View File

@ -1,4 +1,7 @@
pass in on lo0(!) fastroute from any to any
pass in on lo0(!) to qe0(!) from 127.0.0.1/32 to 127.0.0.1/32
pass in on le0(!) to qe0(!):127.0.0.1 from 127.0.0.1/32 to 127.0.0.1/32
pass in on lo0(!) dup-to qe0(!) from 127.0.0.1/32 to 127.0.0.1/32
pass in on qe0(!) dup-to qe0(!):127.0.0.1 from 127.0.0.1/32 to 127.0.0.1/32
pass in on le0(!) dup-to qe0(!):127.0.0.1 from 127.0.0.1/32 to 127.0.0.1/32
pass in on le0(!) dup-to qe0(!):127.0.0.1 to hme0(!):10.1.1.1 from 127.0.0.1/32 to 127.0.0.1/32
block in quick on qe0(!) to qe1(!) from any to any

2
regress/sys/kern/ipf/expected/i9
View File

@ -1,4 +1,4 @@
pass in from 127.0.0.1/32 to 127.0.0.1/32 with short
pass in from 127.0.0.1/32 to 127.0.0.1/32 with short,frag
block in from any to any with ipopts
pass in from any to any with opt nop,rr,zsu
pass in from any to any with opt nop,rr,zsu not opt lsrr,ssrr

2
regress/sys/kern/ipf/expected/in2
View File

@ -22,3 +22,5 @@ rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30
rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40
rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1 port 21 tcp proxy ftp
rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1 port 21 tcp proxy ftp
rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port 5555 tcp
rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port = 5555 tcp

2
regress/sys/kern/ipf/expected/ipv6.1
View File

@ -1,5 +1,3 @@
.\" $NetBSD: ipv6.1,v 1.1.1.1 2002/05/13 06:33:09 martti Exp $
.\"
pass
pass
--------

2
regress/sys/kern/ipf/expected/ipv6.2
View File

@ -1,5 +1,3 @@
.\" $NetBSD: ipv6.2,v 1.1.1.2 2004/03/28 08:56:53 martti Exp $
.\"
nomatch
block
nomatch

2
regress/sys/kern/ipf/expected/ipv6.3
View File

@ -1,5 +1,3 @@
.\" $NetBSD: ipv6.3,v 1.1.1.1 2004/03/28 08:56:53 martti Exp $
.\"
pass
nomatch
nomatch

51
regress/sys/kern/ipf/expected/n11 Normal file
View File

@ -0,0 +1,51 @@
ip 20(20) 255 10.1.1.0 > 10.1.1.2
ip 20(20) 255 1.6.7.8 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 20(20) 255 10.2.2.1 > 10.1.2.1
ip 20(20) 255 10.2.2.2 > 10.1.2.1
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 20(20) 255 10.2.2.1 > 10.2.1.1
ip 20(20) 255 10.2.2.2 > 10.2.1.1
ip 20(20) 255 10.2.2.3 > 10.1.1.1
ip 20(20) 255 10.2.3.4 > 10.2.2.2
ip 20(20) 255 10.1.1.1 > 10.2.2.2
ip 20(20) 255 10.1.1.2 > 10.2.2.2
ip 20(20) 255 10.1.1.0 > 10.3.4.5
ip 20(20) 255 10.1.1.1 > 10.3.4.5
ip 20(20) 255 10.1.1.2 > 10.3.4.5
-------------------------------
ip 20(20) 255 10.2.2.2 > 10.1.1.2
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.2.2.2 > 10.1.1.1
ip 20(20) 255 10.2.2.1 > 10.1.2.1
ip 20(20) 255 10.2.2.2 > 10.1.2.1
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 20(20) 255 10.2.2.1 > 10.2.1.1
ip 20(20) 255 10.2.2.2 > 10.2.1.1
ip 20(20) 255 10.2.2.3 > 10.1.1.1
ip 20(20) 255 10.2.3.4 > 10.1.1.0
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.0
ip 20(20) 255 10.1.1.0 > 10.3.4.5
ip 20(20) 255 10.1.1.1 > 10.3.4.5
ip 20(20) 255 10.1.1.2 > 10.3.4.5
-------------------------------
ip 20(20) 255 10.3.4.0 > 10.1.1.2
ip 20(20) 255 10.3.4.1 > 10.1.1.2
ip 20(20) 255 10.3.4.2 > 10.1.1.1
ip 20(20) 255 10.2.2.1 > 10.1.2.1
ip 20(20) 255 10.2.2.2 > 10.1.2.1
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 20(20) 255 10.2.2.1 > 10.2.1.1
ip 20(20) 255 10.2.2.2 > 10.2.1.1
ip 20(20) 255 10.2.2.3 > 10.1.1.1
ip 20(20) 255 10.2.3.4 > 10.2.2.2
ip 20(20) 255 10.1.1.1 > 10.2.2.2
ip 20(20) 255 10.1.1.2 > 10.2.2.2
ip 20(20) 255 10.1.1.0 > 10.1.1.5
ip 20(20) 255 10.1.1.1 > 10.1.1.5
ip 20(20) 255 10.1.1.2 > 10.1.1.5
-------------------------------

10
regress/sys/kern/ipf/expected/n7
View File

@ -9,6 +9,16 @@ ip 40(20) 6 10.2.3.1,1237 > 10.1.1.4,80
ip 40(20) 6 10.2.3.1,1238 > 10.1.1.4,80
-------------------------------
ip 40(20) 6 10.2.3.1,1230 > 10.1.1.1,22
ip 40(20) 6 10.2.3.1,1231 > 10.2.2.1,10023
ip 40(20) 6 10.2.3.1,1232 > 10.2.2.1,10023
ip 40(20) 6 10.2.3.1,1233 > 10.2.2.1,10023
ip 40(20) 6 10.2.3.1,1234 > 10.1.1.1,80
ip 40(20) 6 10.2.3.1,1235 > 10.1.1.2,80
ip 40(20) 6 10.2.3.1,1236 > 10.1.1.3,80
ip 40(20) 6 10.2.3.1,1237 > 10.1.1.4,80
ip 40(20) 6 10.2.3.1,1238 > 10.1.1.4,80
-------------------------------
ip 40(20) 6 10.2.3.1,1230 > 10.1.1.1,22
ip 40(20) 6 10.2.3.1,1231 > 10.1.1.1,23
ip 40(20) 6 10.2.3.1,1232 > 10.1.1.1,50
ip 40(20) 6 10.2.3.1,1233 > 10.1.1.1,79

8
regress/sys/kern/ipf/expected/n8
View File

@ -1,5 +1,5 @@
4500 0054 8bc1 0000 ff01 13d5 0a0a 0a01 0404 0404 0800 e392 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 db8b 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 8bc1 0000 ff01 13d5 0a0a 0a01 0404 0404 0800 e391 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 db8a 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 8bc1 0000 ff01 13d5 0a0a 0a01 0404 0404 0800 efdf 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 f7df 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 8bc1 0000 ff01 13d5 0a0a 0a01 0404 0404 0800 efde 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 f7de 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
-------------------------------

8
regress/sys/kern/ipf/expected/n9
View File

@ -1,5 +1,5 @@
4500 0054 8bc1 0000 ff01 17d9 0202 0202 0a0a 0a01 0800 e392 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 db8b 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 8bc1 0000 ff01 17d9 0202 0202 0a0a 0a01 0800 e391 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 db8a 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 8bc1 0000 ff01 17d9 0202 0202 0a0a 0a01 0800 efdf 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 f7df 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 8bc1 0000 ff01 17d9 0202 0202 0a0a 0a01 0800 efde 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 f7de 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637
-------------------------------

5
regress/sys/kern/ipf/expected/ni1
View File

@ -1,3 +1,4 @@
4500 0028 0000 4000 0111 0dd7 0606 0606 0404 0404 afc9 829e 0014 6308 0402 0000 3be5 468d 000a cfc3
4500 0038 809a 0000 ff01 9739 0303 0303 0202 0202 0b00 a537 0000 0000 4500 0028 4703 4000 0111 ef89 0202 0202 0404 0404 afc9 829e 0014 c966
4500 0028 0000 4000 0111 65b2 0606 0606 0404 0404 afc9 829e 0014 6308 0402 0000 3be5 468d 000a cfc3
4500 0038 809a 0000 ff01 3121 0303 0303 0202 0202 0b00 5773 0000 0000 4500 0028 0000 4000 0111 6dba 0202 0202 0404 0404 afc9 829e 0014 6b10
4500 0044 809a 0000 ff01 3115 0303 0303 0202 0202 0b00 0131 0000 0000 4500 0028 0000 4000 0111 6dba 0202 0202 0404 0404 afc9 829e 0014 6b10 0402 0000 3be5 468d 000a cfc3
-------------------------------

5
regress/sys/kern/ipf/expected/ni10 Normal file
View File

@ -0,0 +1,5 @@
4500 003c 4706 4000 ff06 20a2 0404 0404 0606 0606 5000 0050 0000 0001 0000 0000 a002 16d0 d0da 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
4500 0038 0000 0000 ff01 afb9 0202 0202 0404 0404 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28aa 0404 0404 0202 0202 5000 0050 0000 0001
4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404 0303 113f 0000 0000 4500 003c 4706 4000 ff06 20a2 0404 0404 0606 0606 5000 0050 0000 0001 0000 0000 a002 16d0 d0da 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28ab 0404 0404 0202 0201 5000 0050 0000 0001
-------------------------------

Some files were not shown because too many files have changed in this diff Show More